I don't know--it really seems pretty rare in the sites I use day-to-day. Going over a list of popular websites (plus a few of interest to hackernews users), I don't think any of hackernews, google, reddit, github, wikipedia, facebook, yahoo, amazon, twitter, tumblr, bing, or ebay are using DNSSEC. My bank is not, nor are any of the other banks I thought of off the top of my head.
Of the sites you mention, paypal is the only one that I use on any sort of a recurring basis. But it's a little weird to a DNSSEC newbie like me, so maybe you can explain. The verisign tool shows that paypal.com is using DNSSEC, but it doesn't appear that www.paypal.com itself is secured. Is the chrome plugin giving me misleading information? Is this how things are supposed to be?
And a lot of US government sites have DNSSEC waivers. The first two examples I tried:
I am certainly not a DNSSEC expert so take my explanation with a grain of
salt.
Short answer www.paypal.com is a cname for an akamai box. That cname record is
secure:
$ unbound-host -v -t cname www.paypal.com www.paypal.com has CNAME record
www.paypal.com.akadns.net. (secure)
Everything falls apart when your resolver finishes the rest of the required
lookups to get an IP address from akadns/akamaiedge.
As I have been experimenting/researching dnssec I have often found it
is useful to use verisign's tool AND sandia's dnsviz[1] tool. For the
moment forget what I said about paypal's cname and compare sandia's[2] and
verisign's[3] results for www.paypal.com and see if you can spot the issue.
You are correct that it is a relief that verisign uses DNSSEC but if I may be
so bold I think you may be wrong about why it is a relief. (I am trying to be
helpful, i apologize if that sounds dickish it is not my intent) With DNSSEC
(just like DNS) everything flows from the root. Verisign manages the .com
tld so if they did not sign the .com you could not verify anyhost.com. The
same thing can be said for DISA, GSA and PIR for .mil, .gov and .org zones
respectively.
As far as NIST goes they are the second least surprising DNSSEC adopter as
far as the federal government goes. Because of NIST's standards function
within the government they are normally at the forefront for things like
this. Moreover DNSSEC is heavily reliant on accurate time and NIST is the home
of the government's truechimer. However if you go down this rabbit hole you
start to have some serious chicken and egg problems.
Since you mentioned banks, I just need to chime in:
I recently (May, June) surveyed 100 european banks (in Germany, Switzerland, France, Italy, Austria), roughly selected for the 20 specimens with the greatest total assets per country.
None of them have deployed DNSSEC. Most use SSL, many use EV certificates, a few go so far as to include HSTS. DNSSEC? Zero.
Of the sites you mention, paypal is the only one that I use on any sort of a recurring basis. But it's a little weird to a DNSSEC newbie like me, so maybe you can explain. The verisign tool shows that paypal.com is using DNSSEC, but it doesn't appear that www.paypal.com itself is secured. Is the chrome plugin giving me misleading information? Is this how things are supposed to be?
And a lot of US government sites have DNSSEC waivers. The first two examples I tried:
cia.gov appears to not use DNSSEC: http://dnssec-debugger.verisignlabs.com/www.cia.gov nsa.gov appears to not use DNSSEC: http://dnssec-debugger.verisignlabs.com/www.nsa.gov
(Thank goodness the verisign tool itself IS using DNSSEC.)
A long list of US .gov sites with and without working DNSSEC: http://fedv6-deployment.antd.nist.gov/cgi-bin/generate-gov
(Also: nist.gov is using DNSSEC)