Do the big organizations and companies use
DNSSEC
yet? Are you really safe from
DNS
spoofing online? We know who's been naughty and who's been nice - and now it's time to name and shame them!
Guess who have done it right!
Click domain names to see live results
In response to a conversation regarding which DNS record types to look at, separate lookups for A, AAAA, CNAME, MX and SOA are now performed. While dnssec-name-and-shame.com was written with a web focus, this should help with some additional feedback as well as praising/shaming. Expanding from just looking at A and AAAA might add some challenges, so please open an issue if you find a problem!
Cloudflare does DNSSEC, IETF in the clear
An apology goes out to IETF and Cloudflare for not removing the previous shaming on this site sooner. Cloudflare has already been signing domains for half a year, through their Universal DNSSEC service. Their push to make DNSSEC available to a broader audience is appreciated!
Older entries
Shame: IETF and PayPal not fully signed because of CNAMEs to external services in their www. subdomains.
Last month, I received two separate but similar questions: why is paypal.com reported as successful, but www.paypal.com isn't? And why is ietf.org successful but www.ietf.org not?
The answer is easy to spot with
dig +dnssec www.ietf.org: IETF has correctly signed their own zone, including the A record for their domain, but the www. subdomain uses a CNAME to Cloudflare. Cloudflare hasn't signed their records (yet, pdf), so the CNAME chain leading up to an A record is broken. IETF used to be a known good example. For shame!
The same goes for www.paypal.com, which signs a CNAME record pointing to Akamai, which doesn't sign their records. Keep in mind that PayPal gave
this very site a prize 2014-04-24, because we validated them for having correctly implemented DNSSEC. For shame!
Both IETF and PayPal redirect users browsing to their web sites to the www. subdomain, this means that they're effectively bypassing their own DNSSEC signing. Perhaps
you should ask for more from
your external service providers?
During the DNSSEC workshop at the 50th ICANN meeting, Anne-Marie handed out t-shirts promoting dnsssec-name-and-shame.com to some of the most active people in DNSSEC, prompting jokes and laughter. At the same time, the site was updated with a happy image of her for successful DNSSEC lookups. Thanks again, Anne-Marie!
We have a new photo on the site - and it's not just some random stock photography this time. When dnssec-name-and-shame.com was getting attention during the hackathon, Anne-Marie Eklund Löwinder got in touch and offered to pose for the site! She's a DNSSEC pioneer and has been inducted into the Internet Hall of Fame for her efforts in securing DNS. Having worked many years trying to convince people to use DNSSEC, she was happy to see that this site has a slightly different take on things. Thank you for your support, Anne-Marie!
Security is important to PayPal, and they work hard to do everything right. One of those things is to properly implement DNSSEC, and we hightlighted them as one of the few top sites who have done that correctly. Thanks PayPal for implementing DNSSEC and thanks for the honors!
Older entries
Presentation live at the hackathon
Today is the day, after a couple of hours of making things pretty-pretty. But hey - let's not stop here - pull requests are accepted!
Once we found out that Twitter.com wasn't secured with DNSSEC, the game was on. How about shaming them a bit, in front of all the hackathon participants? The Twitter representative wasn't too pleased about our idea, which made it seem all the much better!