On Apr 28, 2014, at 5:50 PM, Dan York <y...@isoc.org> wrote: > Trevor, > > On Apr 28, 2014, at 5:32 PM, Trevor Freeman <trev...@exchange.microsoft.com> > wrote: > >> I spoke to soon. While the US government domains is signed, the actual web >> site is not in many cases. >> For example: >> www.dhs.gov is a cname entry www.dhs.gov.edgekey.net which is unsigned. >> This is in turn a CNAME to another unsigned domain >> >> www.dhs.gov.edgekey.net is a CNAME to e6485.dscb.akamaiedge.net > > Yes, support of DNSSEC by content distribution networks (CDNs) remains one of > the stumbling blocks to getting full DNSSEC support out there for web sites. > Some CDNs *do* support DNSSEC, but not for all customers, and other simply > don't. We definitely need to see more CDN customers *asking* their CDN > providers for DNSSEC-signing. >
(off topic really) CDN's are the issue here, but another thing seen in DNSSEC deployment in .gov is the problem seen in mandated deployments of other tech in .gov (like IPv6 :). Admins only do the minimum of what will be checked. Then on to the next fire. So if the auditors only know your 2nd level domains, some zones skip signing their lower level delegations. Or if it is a CNAME to a non-.gov, the target zone isn't signed since it isn't in .gov and won't count against you in the audit. Sadly doing what's best is secondary to doing what the audit covers. Scott > Dan > > -- > Dan York > Senior Content Strategist, Internet Society > y...@isoc.org +1-802-735-1624 > Jabber: y...@jabber.isoc.org > Skype: danyork http://twitter.com/danyork > > http://www.internetsociety.org/deploy360/ > > _______________________________________________ > perpass mailing list > perpass@ietf.org > https://www.ietf.org/mailman/listinfo/perpass =================================== Scott Rose NIST scott.r...@nist.gov +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ =================================== _______________________________________________ perpass mailing list perpass@ietf.org https://www.ietf.org/mailman/listinfo/perpass
