aws.com and google.com don't have DNSSEC enabled · GitHub
/" data-turbo-transient="true" />
Skip to content
-->
Search Gists
Search Gists
Sign in
Sign up
You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.
Dismiss alert
{{ message }}
Instantly share code, notes, and snippets.
acetousk/dnssec.md
Created<br>June 10, 2026 23:49
Show Gist options
Download ZIP
Star
(0)
You must be signed in to star a gist
Fork
(0)
You must be signed in to fork a gist
Embed
Select an option
Embed<br>Embed this gist in your website.
Share<br>Copy sharable link for this gist.
Clone via HTTPS<br>Clone using the web URL.
No results found
Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/acetousk/3c17d2aefde9175ffef21a8ec4673053.js"></script>
" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-63f010c9-813d-445e-92ff-ae83587e46bc" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-sized-down" />
Save acetousk/3c17d2aefde9175ffef21a8ec4673053 to your computer and use it in GitHub Desktop.
Embed
Select an option
Embed<br>Embed this gist in your website.
Share<br>Copy sharable link for this gist.
Clone via HTTPS<br>Clone using the web URL.
No results found
Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/acetousk/3c17d2aefde9175ffef21a8ec4673053.js"></script>
" readonly="readonly" data-autoselect="true" data-target="primer-text-field.inputElement " aria-describedby="validation-72a84bce-e9b8-4821-af1e-a536124d4851" class="form-control FormControl-monospace FormControl-input FormControl-small rounded-left-0 rounded-right-0 border-right-0" type="text" name="gist-share-url-original" />
Save acetousk/3c17d2aefde9175ffef21a8ec4673053 to your computer and use it in GitHub Desktop.
Download ZIP
aws.com and google.com don't have DNSSEC enabled
Raw
dnssec.md
I was looking at verisign's public dns whois checker and I got this crazy result.
Amazon.com doesn't have dnssec enabled.
# To verify run:<br>~ ❯ delv amazon.com<br>; unsigned answer<br>amazon.com. 2 IN A 98.82.161.185<br>amazon.com. 2 IN A 98.87.170.71<br>amazon.com. 2 IN A 98.87.170.74
Surely aws.com has it enabled?
~ ❯ delv aws.com<br>; unsigned answer<br>aws.com. 59 IN A 143.204.142.107<br>aws.com. 59 IN A 143.204.142.125<br>aws.com. 59 IN A 143.204.142.53<br>aws.com. 59 IN A 143.204.142.119
Okay google.com has it enabled:
~ ❯ delv google.com<br>; unsigned answer<br>google.com. 141 IN A 173.194.42.101<br>google.com. 141 IN A 173.194.42.113<br>google.com. 141 IN A 173.194.42.102<br>google.com. 141 IN A 173.194.42.138<br>google.com. 141 IN A 173.194.42.100<br>google.com. 141 IN A 173.194.42.139
Okay there's something seriously wrong, this tool is broken, or my client is wrong. what about cloudflare:
~ ❯ delv cloudflare.com<br>; fully validated<br>cloudflare.com. 134 IN A 104.16.132.229<br>cloudflare.com. 134 IN A 104.16.133.229<br>cloudflare.com. 134 IN RRSIG A 13 2 300 20260612003424 20260609223424 34505 cloudflare.com. bK9MssAMDa7/6dM0CJ0tRYisBorQ8vaDDWrhyvvzJjO7qp6ogft0eUdy c22Loq0Lw172ClsPmz2CWW5WLBMWfQ==
So it's not my tool because cloudflare is working.
Can someone please explain what is happening?
AWS themselves has an article about this.
With no dnssec, there is no way to cryptographically prove that the DNS records are accurate, so DNS server's cache could return an attacker IP.
Sign up for free<br>to join this conversation on GitHub .<br>Already have an account?<br>Sign in to comment
You can’t perform that action at this time.