DNSSEC adoption

Mon Aug 1 21:44:54 UTC 2022

There has been lots of discussion recently about DNSSEC issues, including whether it's desirable to sign internal zones. Independent of this most recent issue, a couple of weeks ago I did an informal survey, using DNSVIZ, of various TLDs. I found the following rather surprising results:

DNS-VIZ and "associates"

TLD		Signed?	Comments
--------------	-------	--------
dnsviz.net	yes	with 1 warning (!)
iana.org	yes
icann.org	yes
isc.org		yes
arin.net	yes
ietf.org	yes	with many warnings & errors

sandia.gov	yes	with many warnings & 1 error
verisign.com	yes
dns-oarc.net	yes

Widely used and/or hi-tech

TLD		Signed?	Comments
--------------	-------	--------
google.com	no
gmail.com	no
youtube.com	no
apple.com	no
microsoft.com	no
amazon.com	no
walmart.com	no
outlook.com	no
1e100.net	no
facebook.com	no
twitter.com	no
instagram.com	no
ibm.com		no
mozilla.org	no
wikipedia.org	no
redhat.com	no
w3c.org		no
bankofamerica.com no

Does anybody have an explanation for why such big domains don't bother using DNSSEC?

P.S.  My opinion is that it probably worthwhile to sign internal zones, especially for organizations that are tempting targets and have many internal computers.