[dnssec-coord] Large enterprises who have signed their domain with DNSSEC? (other than Comcast and PayPal)

Dan York york at isoc.org
Tue Jan 14 14:16:41 PST 2014


Thanks for all the comments and suggestions.  To be a bit more clear, I'll
use Peter Koch's message to dive a bit deeper (answering a couple of other
messages as I do):

On 1/8/14 11:11 AM, "Peter Koch" <pk at DENIC.DE> wrote:

>what dimension of "large" do you have in mind?  I'm asking since the
>number of employees, while sometimes scaling with
>the revenue and number of customer contacts, is probably more important
>for validation rather than signing
>and there's the whole 'split DNS' discussion.  Or would you want to focus
>on ITIL/ISO27001 type corps
>(as opposed to R.A.Ndom's webshop)?

What I'm really seeking is more of "recognizable brand names", I.e.
company names that people would know.  Larger companies are typically
risk-averse and with a zillion other things on their IT agendas doing
something that they perceive might be risky gets lowered on the list if
they don't also perceive a strong reason to do it. However, if someone in
their IT department could say, for instance, "Hey, look, Facebook signed
their domain (and the world didn't end)," it provides a sign that maybe
it's okay for that company to sign their domain.

For instance, I've heard multiple say on the validation side, "well, if
Google can enable DNSSEC-validation on their Public DNS server, maybe it
*is* something we can do on our DNS resolvers."

It's another variation on the theme of "No one ever got fired for buying
______ equipment"  (where that used to be "IBM"... don't know what it is

So I'm looking for "names" that could be used in outreach to enterprises.
Now, typically enterprises are looking for "names" in *their* part of the
industry.  So for instance Shiphol airport might be useful for outreach to
other airports or similar types of companies in the transportation
industry.  Comcast is useful within the ISP / network operator and cable

I'm sorry, Shumon and Tony, but I don't think universities buy us much in
the corporate world... my experience from working in corporate IT is that
most folks there view you all at universities as special and somewhat
bizarre places that are not as relevant to the "business" world.  (And I
realize you can dispute that... but I think the perception lives out

Now, on our monthly DNSSEC Coordination call last Thursday Casey (?) from
Verisign Labs reminded us that the team at NIST has regularly-updated
stats for .COM domains about IPv6 and DNSSEC at:


If you scan down the last column for DNSSEC you see that they show valid
signed domains for:

simon.com  (large owner of U.S. shopping malls - http://www.simon.com/mall
usaa.com  (investments, insurance, banking)

... and that's pretty much it!  There are also a couple of .net domains
and then the somewhat predictable signed I* and open source .orgs.  The
USAA one was particularly interesting to me and could be useful since it
is in the finance space.

Now, the NIST site is NOT a comprehensive list of companies....  I seem to
recall someone at NIST saying it was something like the Alexa Top 100 with
some other sites added in as well.   It is also only ".COM" and not in the
other domains.  It is, though, a useful snapshot, and shows how far we
have to go within that part of the corporate space.

>> As we start work on the next "What Is DNSSEC?" document targeted at
>>enterprises, it would be useful to have a list of enterprises with
>>signed domains that we could reference in accompanying blog posts and
>Without picking on any one of your examples in particular, signing the
>domain is of little effect if
>the major lookup target ends up as a CNAME pointing into unsigned land.
>While better than nothing,
>a 'public recognition' might be premature.

(smiling) So while I understand and agree with your point, I also think
we're at the point in the bootstrapping process where "better than
nothing" *is* helpful to some degree.  If Facebook were to sign
facebook.com and it wound up going to a CDN or CNAME, their endorsement of
DNSSEC alone could bring others along.  Obviously, though, we'd like to
have fully *working* implementations!

>PS: out of the 13500 "signed" DE delegations, I know of one big corp that
>deployed DNSSEC down to the leaves.
>    Can't disclose yet, but hope they do that themselves.

Very cool!  And yes, I do hope they disclose that fact.


Dan York
Senior Content Strategist, Internet Society
york at isoc.org <mailto:york at isoc.org>   +1-802-735-1624
Jabber: york at jabber.isoc.org <mailto:york at jabber.isoc.org>
Skype: danyork   http://twitter.com/danyork


More information about the dnssec-coord mailing list