[dns-operations] google DNS doing validation?

Patrik Wallström pawal at blipp.com
Fri Jul 27 14:01:45 UTC 2018

On 2018-07-26 18:27, Viktor Dukhovni wrote:
>> On Jul 26, 2018, at 11:29 AM, Frank Bulk <frnkblk at iname.com> wrote:
>> There's only two zones that I know that are intentionally broken (servfail.nl and www.dnssec-failed.org -- I'd love to have a few more), but they provide at least some indication that our customer-facing DNS resolvers are properly performing DNSsec validation. 
> The folks at "undeveloped.com" usually have a bunch of domains under .se
> with DS RRs that don't match the zone apex.  Presently, ~38k of them set
> the record for the longest continuous downtime in my DANE/DNSSEC survey.
> They've been failing DNSKEY lookups since 2018/04/29.
> Sadly, there is no reason to expect ongoing failure for any particular
> domain on that list, but collectively they're a pretty stable population.
> A few are rather apt:
>   musuemoffailure.se   [sic]
>   rehabfail.se
>   ratemyfail.se
> :-)

I stable broken .se domain is trasigdnssec.se set up intentionally by
IIS. I believe somebody at some point fixed it, and promptly unfixed it.

More information about the dns-operations mailing list