Number of DANE-enabled mail domains growing exponentially
Around the world, the number of mail domains with TLSA records is on the up, with growth reaching exponential proportions in the last six months. The Netherlands has taken on a key role in this movement, both within the .nl zone itself and in terms of DANE-for-mail implementation by hosting providers.
Strong global growth
Use of DANE for mail has really taken off over the last six months. According to the latest statistics on DNSSEC-Tools, there are now nearly 1.1 million domains using this security technology. That represents 11.5 per cent of the 9.4 million top-level domains with DNSSEC-signed MX records.
For some years, the number of mail gateways has been rising on a more or less linear trajectory. That's down to major operators bulk-enabling DANE for the mail domains that they manage. One.com, whose portfolio includes a large number of .nl domains, is one of the operators whose adoption of DANE has helped to drive migration. Another is TransIP, which configured DANE for the domains under its control some time ago.
The figures given above come from Viktor Dukhovni — co-author of the DANE standard defined in RFC 7671 — who gathers a range of DANE statistics from various sources and circulates a monthly digest. Dukhovni's list of the top twenty DANE-enabled mail hosters includes numerous Dutch registrars.
Dutch mail gateways
Looking at the countries with the most DANE-enabled mail gateways, we see that the Netherlands is in third place for IPv4, and second place for IPv6 (even though the country lags behind on IPv6 adoption).
|1680||DE, Germany||677||DE, Germany|
|1026||US, United States||309||NL, Netherlands|
|674||NL, Netherlands||221||FR, France|
|382||FR, France||170||US, United States|
|204||GB, United Kingdom||111||CZ, Czechia|
|170||CZ, Czechia||51||GB, United Kingdom|
|104||CA, Canada||40||SE, Sweden|
|80||SG, Singapore||27||RU, Russia|
|71||CH, Switzerland||27||CH, Switzerland|
|69||SE, Sweden||26||CA, Canada|
|48||DK, Denmark||20||AT, Austria|
|45||IE, Ireland||13||DK, Denmark|
|40||AU, Australia||12||IE, Ireland|
|39||AT, Austria||12||AU, Australia|
|38||BR, Brazil||11||NO, Norway|
|33||FI, Finland||10||FI, Finland|
|29||PL, Poland||10||BR, Brazil|
|25||RU, Russia||9||SI, Slovenia|
|21||JP, Japan||7||UA, Ukraine|
|18||IT, Italy||7||PL, Poland|
The Netherlands' high position is undoubtedly linked to the lead taken on DNSSEC signing (a prerequisite for the use of DANE) and to the country's relatively significant role in Europe's internet infrastructure and hosting landscape, combined with the fact that, earlier this year, DANE for outgoing mail was added to the 'use-or-explain' list by the Forum for Standardisation. In contrast to the situation in Sweden, the .nl zone doesn't have an incentive scheme for DANE, although one is in the pipeline.
The .nl zone
Only a small number of registries (including SIDN) provide Dukhovni with data on the adoption of DANE for mail in their zones. And the registries in question measure adoption in different ways. Where the other TLDs are concerned, he has to rely on data from scanners (passive) and crawlers (active). As a result, it's difficult to make international comparisons.
However, we are of course able to make certain observations regarding the situation in the .nl zone. On SIDN Labs' statistics site, you'll find information about the exponential growth in the number of DANE-enabled mail domains over the last six months. By the end of February, the figure stood at 335,000. That is very much in line with the DNSSEC-Tools graph on global DANE adoption presented above, and the .nl domain's sizeable contribution to the global total.
We must point out, however, that the data in the graph above was obtained using a different measurement method from that used by Dukhovni. We have counted all the domains that have at least one DANE-enabled MX gateway, whereas he counts only those domains whose primary gateways all have TLSA records. Dukhovni therefore puts the number of DANE-enabled domains in the .nl zone at 226,000. The difference between his figure and ours indicates how many domains have DANE enabled only on their fallback gateways, typically operated by their service providers.
Despite all the differences in approach and quantification method, the various figures reveal a clear trend: the number of DANE-enabled mail domains has recently been rising sharply, reminiscent of the way support for DNSSEC shot up in the Netherlands a few years ago.
Control panel security
A new name in the DANE support listing is managed services provider Prolocation. All 4,900 domain names in the Prolocation portfolio were provided with DANE security at the start of the year. According to Raymond Dijkxhoorn, the company's system and network specialist, enabling DANE was relatively straightforward. "We helped SURFnet to develop the DANE standard, so we were in on the trend from the start. Because our control panel was used in the development process, we went live with DANE provisioning before anyone else. Now we have an operational interface that lets customers enter their own DANE data."
And the free Let's Encrypt package is generally used for renewal of the simple TLS certificates. You could therefore say that the initiative is acting as a brake on introduction of the more robust DANE for the web in combination with self-signed certificates. What's more, according to Dijkxhoorn, customers often overlook the fact that automating the required/mandatory updates for the "free" Let's Encrypt certificates costs far more than occasionally buying a commercial certificate.
In the interest of security, Dijkxhoorn would rather see the emphasis placed on control panels. "It's not uncommon for registrars' control panels to be hacked by people who simply circumvent the cryptographic security. It would be good if, for example, SIDN developed guidelines for control panels."