[dnssec-coord] Large enterprises who have signed their domain with DNSSEC? (other than Comcast and PayPal)

Shumon Huque shuque at upenn.edu
Wed Jan 8 17:15:37 PST 2014

On Wed, Jan 08, 2014 at 05:11:07PM +0100, Peter Koch wrote:
> Without picking on any one of your examples in particular, signing the domain is of little effect if
> the major lookup target ends up as a CNAME pointing into unsigned land.  While better than nothing,
> a 'public recognition' might be premature.

Sadly, I have to admit that my own organization is in this
category. Although upenn.edu is signed (and mostly has no
major delegations), the 'main' Penn website (www.upenn.edu)
is redirected via CNAME to the Akamai CDN. And Akamai doesn't
do DNSSEC yet, as far as I know. Thankfully, many other
services at Penn can be fully resolved within the signed zone
(including the websites of many of the big schools within Penn).

Below is output of querying www.upenn.edu via a validating resolver. 
(Note: 'ad' bit isn't set because not all records in answer/authority
are signed.)

$ dig +dnssec +multi www.upenn.edu.

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1570
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 9


www.upenn.edu.		300 IN CNAME www.upenn.edu-dscg.edgesuite.net.
www.upenn.edu.		300 IN RRSIG CNAME 5 3 300 (
				20140205111044 20140106103807 50475 upenn.edu.
				tzY23YZJUlZD3bFCKvT+FY9nMuHXiFNve5vxz8w= )
www.upenn.edu-dscg.edgesuite.net. 21156	IN CNAME a1165.dscg.akamai.net.
a1165.dscg.akamai.net.	20 IN A
a1165.dscg.akamai.net.	20 IN A


Shumon Huque
University of Pennsylvania.

More information about the dnssec-coord mailing list