What DNSSEC? It's nearly nonexistent among the Fortune 500
DNSSEC
signs a domain's DNS records so resolvers can cryptographically verify the
answers they get, closing the cache-poisoning and spoofing holes that plain
DNS leaves wide open. It takes signing keys in the zone
(DNSKEY) and a matching DS record at the
parent to anchor them to the global chain of trust. We checked every
Fortune 500 company for both, resolving through validating public
DNS.
DNSSEC barely registers
bogus chain that a validating resolver rejects outright.
From signed to validated, across all 500
How the signers set it up
A signed zone picks a signing algorithm. Modern deployments use elliptic
curve (ECDSA/Ed25519), while older ones still run
big RSA keys. And signing is only half the job: without a
DS record at the parent the zone is an island, and a
broken signature makes it bogus, unreachable for anyone who
validates.
bogus domains are the real hazard: their
chain is broken, so strict resolvers refuse to resolve them at all.
53 companies with a DNSSEC footprint
Every company whose zone is signed or anchored. 47 validate end-to-end, 6 are unanchored islands, and any tagged bogus have a broken chain that validating resolvers reject.
No domains match “”.