Growth of DANE security for mail slows down
Netherlands leads the way on DANE adoption
Netherlands leads the way on DANE adoption
Over the last three years, the use of DANE for mail has taken off. The main driver has been the addition of support for the security protocol to the leading mail server software packages. This year, however, we've observed a worrying slowdown in the rate of growth. Because of our pioneering work with DNSSEC – which must be enabled for DANE to function – the .nl and other domain names hosted by Dutch service providers account for the majority of DANE-secured mail domains. And, with nearly 700,000 DANE-secured domains, the .nl zone is the world's number one TLD for DANE support.
Number of domain names | Hosting providers' name |
---|---|
1,219,025 | one.com |
152,732 | TransIP |
150,806 | Argeweb |
148,860 | Infomaniak |
117,833 | Hostpoint |
Table 1: Top five hosting providers for DANE-enabled domain names. Source: Viktor Dukhovni, September 2021.
Number of domain name | Top level domain |
---|---|
699,702 | .nl |
410,927 | .com |
331,972 | .se |
228,733 | .dk |
137,370 | .no |
133,715 | .be |
132,688 | .de |
126,812 | .cz |
95,068 | .ch |
78,216 | .eu |
75,666 | .uk |
39,681 | .net |
Table 2: Top twelve top-level domains for DANE-enabled domain names. Source: Viktor Dukhovni, August 2021.
According to the latest statistics on DNSSEC-Tools, 2.8 million mail domains are currently DANE-enabled (as of September 2021). That's roughly 17 per cent of the 16.2 million domains with DNSSEC-signed MX records – significantly up on the 11.5 per cent of two years ago. Increasing use is clearly being made of previous investments in DNSSEC.
Although our own DANE statistics for the .nl zone are compiled in a slightly different way than the DNSSEC-Tools data, they tell a similar story: that growth has plateaued (and even turned into a slight decline).
We had previously seen exponential growth in the number of DANE-secured mail domains, accompanied by a linear increase in the number of domains that published DANE (TLSA) records for their own MX gateways. That suggests that the growth was mainly down to big mail service providers bulk-enabling DANE on the domains they hosted. However, the growth of those numbers has also tailed off rapidly over the last year.
One possible explanation for the phenomena described above is that the big mail service providers have now enabled DANE on their MX gateways, while smaller operators have difficulty implementing DANE. Although we offer financial incentives to all .nl registrars that adopt DANE for mail, the economic case for adoption is strongest for those with large domain name portfolios. Another possibility is that the pandemic has affected uptake of DANE. For many organisations, the priority was suddenly making business networks accessible to people working from home. Less personal contact may also have led to fewer new projects getting off the ground.
For anyone interested in securing mail domains with DANE, we've published detailed advice on configuring DANE for both Postfix and Exim. If you need to set up DNSSEC first, we also provide a series of hands-on articles for the most popular DNS servers.