DNSSEC adoption
Paul Kosinski
bind at iment.com
Mon Aug 1 21:44:54 UTC 2022
There has been lots of discussion recently about DNSSEC issues, including whether it's desirable to sign internal zones. Independent of this most recent issue, a couple of weeks ago I did an informal survey, using DNSVIZ, of various TLDs. I found the following rather surprising results:
DNS-VIZ and "associates"
TLD Signed? Comments
-------------- ------- --------
dnsviz.net yes with 1 warning (!)
iana.org yes
icann.org yes
isc.org yes
arin.net yes
ietf.org yes with many warnings & errors
sandia.gov yes with many warnings & 1 error
verisign.com yes
dns-oarc.net yes
Widely used and/or hi-tech
TLD Signed? Comments
-------------- ------- --------
google.com no
gmail.com no
youtube.com no
apple.com no
microsoft.com no
amazon.com no
walmart.com no
outlook.com no
1e100.net no
facebook.com no
twitter.com no
instagram.com no
ibm.com no
mozilla.org no
wikipedia.org no
redhat.com no
w3c.org no
bankofamerica.com no
Does anybody have an explanation for why such big domains don't bother using DNSSEC?
P.S. My opinion is that it probably worthwhile to sign internal zones, especially for organizations that are tempting targets and have many internal computers.
More information about the bind-users
mailing list