Photo of Anne-Marie Eklund Löwinder, DNSSEC pioneer, when she's angry Photo of Anne-Marie Eklund Löwinder, DNSSEC pioneer, when she's happy

is secured with DNSSEC!

DNSSEC lookup details
  • A (IPv4)
  • AAAA (IPv6)
  • CNAME (alias)
  • MX (mail)
  • SOA (authority)
Check a domain for DNSSEC compliance

DNSSEC name and shame!

Do the big organizations and companies use DNSSEC yet? Are you really safe from DNS spoofing online? We know who's been naughty and who's been nice - and now it's time to name and shame them!

Guess who have done it right! Click domain names to see live results

Known good examples

The organizations and companies working with DNSSEC are of course signed - follow their example!

More example domains

The Next Web's Kings of Code Hack Battle API sponsors 2014

These organizations and companies sponsored the event where this tool was hacked together.

Resources

Log

Separate A, AAAA, CNAME, MX, SOA lookups

In response to a conversation regarding which DNS record types to look at, separate lookups for A, AAAA, CNAME, MX and SOA are now performed. While dnssec-name-and-shame.com was written with a web focus, this should help with some additional feedback as well as praising/shaming. Expanding from just looking at A and AAAA might add some challenges, so please open an issue if you find a problem!

Cloudflare does DNSSEC, IETF in the clear

An apology goes out to IETF and Cloudflare for not removing the previous shaming on this site sooner. Cloudflare has already been signing domains for half a year, through their Universal DNSSEC service. Their push to make DNSSEC available to a broader audience is appreciated!

Older entries

Shame: IETF and PayPal not fully signed because of CNAMEs to external services in their www. subdomains.

Last month, I received two separate but similar questions: why is paypal.com reported as successful, but www.paypal.com isn't? And why is ietf.org successful but www.ietf.org not?

The answer is easy to spot with dig +dnssec www.ietf.org: IETF has correctly signed their own zone, including the A record for their domain, but the www. subdomain uses a CNAME to Cloudflare. Cloudflare hasn't signed their records (yet, pdf), so the CNAME chain leading up to an A record is broken. IETF used to be a known good example. For shame!

The same goes for www.paypal.com, which signs a CNAME record pointing to Akamai, which doesn't sign their records. Keep in mind that PayPal gave this very site a prize 2014-04-24, because we validated them for having correctly implemented DNSSEC. For shame!

Both IETF and PayPal redirect users browsing to their web sites to the www. subdomain, this means that they're effectively bypassing their own DNSSEC signing. Perhaps you should ask for more from your external service providers?

Happy Anne-Marie Eklund Löwinder handing out t-shirts at ICANN 50 in London

During the DNSSEC workshop at the 50th ICANN meeting, Anne-Marie handed out t-shirts promoting dnsssec-name-and-shame.com to some of the most active people in DNSSEC, prompting jokes and laughter. At the same time, the site was updated with a happy image of her for successful DNSSEC lookups. Thanks again, Anne-Marie!

Anne-Marie Eklund Löwinder, DNSSEC pioneer, reminds you to sign your DNS records

We have a new photo on the site - and it's not just some random stock photography this time. When dnssec-name-and-shame.com was getting attention during the hackathon, Anne-Marie Eklund Löwinder got in touch and offered to pose for the site! She's a DNSSEC pioneer and has been inducted into the Internet Hall of Fame for her efforts in securing DNS. Having worked many years trying to convince people to use DNSSEC, she was happy to see that this site has a slightly different take on things. Thank you for your support, Anne-Marie!

dnssec-name-and-shame.com wins PayPal's TNW Hack Battle prize!

Security is important to PayPal, and they work hard to do everything right. One of those things is to properly implement DNSSEC, and we hightlighted them as one of the few top sites who have done that correctly. Thanks PayPal for implementing DNSSEC and thanks for the honors!

Older entries

Presentation live at the hackathon

Today is the day, after a couple of hours of making things pretty-pretty. But hey - let's not stop here - pull requests are accepted!

Initial shaming on The Next Web's Kings of Code Hack Battle 2014

Once we found out that Twitter.com wasn't secured with DNSSEC, the game was on. How about shaming them a bit, in front of all the hackathon participants? The Twitter representative wasn't too pleased about our idea, which made it seem all the much better!