The answer is easy to spot with
dig +dnssec www.ietf.org: IETF has correctly signed their own zone, including the A record for their domain, but the www. subdomain uses a CNAME to Cloudflare. Cloudflare hasn't signed their records (yet, pdf), so the CNAME chain leading up to an A record is broken. IETF used to be a known good example. For shame!
The same goes for www.paypal.com, which signs a CNAME record pointing to Akamai, which doesn't sign their records. Keep in mind that PayPal gave
this very site a prize 2014-04-24, because we validated them for having correctly implemented DNSSEC. For shame!
Both IETF and PayPal redirect users browsing to their web sites to the www. subdomain, this means that they're effectively bypassing their own DNSSEC signing. Perhaps
you should ask for more from
your external service providers?
During the DNSSEC workshop at the 50th ICANN meeting, Anne-Marie handed out t-shirts promoting dnsssec-name-and-shame.com to some of the most active people in DNSSEC, prompting jokes and laughter. At the same time, the site was updated with a happy image of her for successful DNSSEC lookups. Thanks again, Anne-Marie!
We have a new photo on the site - and it's not just some random stock photography this time. When dnssec-name-and-shame.com was getting attention during the hackathon, Anne-Marie Eklund Löwinder got in touch and offered to pose for the site! She's a DNSSEC pioneer and has been inducted into the Internet Hall of Fame for her efforts in securing DNS. Having worked many years trying to convince people to use DNSSEC, she was happy to see that this site has a slightly different take on things. Thank you for your support, Anne-Marie!
Security is important to PayPal, and they work hard to do everything right. One of those things is to properly implement DNSSEC, and we hightlighted them as one of the few top sites who have done that correctly. Thanks PayPal for implementing DNSSEC and thanks for the honors!
Presentation live at the hackathon
Today is the day, after a couple of hours of making things pretty-pretty. But hey - let's not stop here - pull requests are accepted!
Once we found out that Twitter.com wasn't secured with DNSSEC, the game was on. How about shaming them a bit, in front of all the hackathon participants? The Twitter representative wasn't too pleased about our idea, which made it seem all the much better!