[dns-operations] google DNS doing validation?
Patrik Wallström
pawal at blipp.com
Fri Jul 27 14:01:45 UTC 2018
On 2018-07-26 18:27, Viktor Dukhovni wrote:
>
>
>> On Jul 26, 2018, at 11:29 AM, Frank Bulk <frnkblk at iname.com> wrote:
>>
>> There's only two zones that I know that are intentionally broken (servfail.nl and www.dnssec-failed.org -- I'd love to have a few more), but they provide at least some indication that our customer-facing DNS resolvers are properly performing DNSsec validation.
>
> The folks at "undeveloped.com" usually have a bunch of domains under .se
> with DS RRs that don't match the zone apex. Presently, ~38k of them set
> the record for the longest continuous downtime in my DANE/DNSSEC survey.
> They've been failing DNSKEY lookups since 2018/04/29.
>
> Sadly, there is no reason to expect ongoing failure for any particular
> domain on that list, but collectively they're a pretty stable population.
> A few are rather apt:
>
> musuemoffailure.se [sic]
> rehabfail.se
> ratemyfail.se
>
> :-)
I stable broken .se domain is trasigdnssec.se set up intentionally by
IIS. I believe somebody at some point fixed it, and promptly unfixed it.
More information about the dns-operations
mailing list