[dnssec-coord] Large enterprises who have signed their domain with DNSSEC? (other than Comcast and PayPal)

Shumon Huque shuque at upenn.edu
Wed Jan 8 17:15:37 PST 2014


On Wed, Jan 08, 2014 at 05:11:07PM +0100, Peter Koch wrote:
> 
> Without picking on any one of your examples in particular, signing the domain is of little effect if
> the major lookup target ends up as a CNAME pointing into unsigned land.  While better than nothing,
> a 'public recognition' might be premature.

Sadly, I have to admit that my own organization is in this
category. Although upenn.edu is signed (and mostly has no
major delegations), the 'main' Penn website (www.upenn.edu)
is redirected via CNAME to the Akamai CDN. And Akamai doesn't
do DNSSEC yet, as far as I know. Thankfully, many other
services at Penn can be fully resolved within the signed zone
(including the websites of many of the big schools within Penn).

Below is output of querying www.upenn.edu via a validating resolver. 
(Note: 'ad' bit isn't set because not all records in answer/authority
are signed.)

$ dig +dnssec +multi www.upenn.edu.

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1570
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 8, ADDITIONAL: 9

[...]

;; ANSWER SECTION:
www.upenn.edu.		300 IN CNAME www.upenn.edu-dscg.edgesuite.net.
www.upenn.edu.		300 IN RRSIG CNAME 5 3 300 (
				20140205111044 20140106103807 50475 upenn.edu.
				A37hkggOX3ML1jarCCh6XwjG6SHVMoL0LJDiXQTRW4X3
				zjnpK6HMH5nQqbSMh2wc+G9aqfOkxLSa5tAair5T4UK6
				EXMavRgNRliiJyRDK5H3WFXugtlGO6ssxT+r00CYTwft
				tzY23YZJUlZD3bFCKvT+FY9nMuHXiFNve5vxz8w= )
www.upenn.edu-dscg.edgesuite.net. 21156	IN CNAME a1165.dscg.akamai.net.
a1165.dscg.akamai.net.	20 IN A	128.91.34.233
a1165.dscg.akamai.net.	20 IN A	128.91.34.232

[...]

-- 
Shumon Huque
University of Pennsylvania.


More information about the dnssec-coord mailing list