Trevor, On Apr 28, 2014, at 5:32 PM, Trevor Freeman <[email protected]<mailto:[email protected]>> wrote:
I spoke to soon. While the US government domains is signed, the actual web site is not in many cases. For example: www.dhs.gov<http://www.dhs.gov> is a cname entry www.dhs.gov.edgekey.net<http://www.dhs.gov.edgekey.net> which is unsigned. This is in turn a CNAME to another unsigned domain www.dhs.gov.edgekey.net<http://www.dhs.gov.edgekey.net> is a CNAME to e6485.dscb.akamaiedge.net<http://e6485.dscb.akamaiedge.net> Yes, support of DNSSEC by content distribution networks (CDNs) remains one of the stumbling blocks to getting full DNSSEC support out there for web sites. Some CDNs *do* support DNSSEC, but not for all customers, and other simply don't. We definitely need to see more CDN customers *asking* their CDN providers for DNSSEC-signing. Dan -- Dan York Senior Content Strategist, Internet Society [email protected]<mailto:[email protected]> +1-802-735-1624 Jabber: [email protected]<mailto:[email protected]> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
