[dns-operations] google DNS doing validation?

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jul 26 16:27:20 UTC 2018

> On Jul 26, 2018, at 11:29 AM, Frank Bulk <frnkblk at iname.com> wrote:
> There's only two zones that I know that are intentionally broken (servfail.nl and www.dnssec-failed.org -- I'd love to have a few more), but they provide at least some indication that our customer-facing DNS resolvers are properly performing DNSsec validation. 

The folks at "undeveloped.com" usually have a bunch of domains under .se
with DS RRs that don't match the zone apex.  Presently, ~38k of them set
the record for the longest continuous downtime in my DANE/DNSSEC survey.
They've been failing DNSKEY lookups since 2018/04/29.

Sadly, there is no reason to expect ongoing failure for any particular
domain on that list, but collectively they're a pretty stable population.
A few are rather apt:

  musuemoffailure.se   [sic]



More information about the dns-operations mailing list