[dns-operations] google DNS doing validation?

John Todd jtodd at quad9.net
Fri Jul 27 16:53:11 UTC 2018

On 26 Jul 2018, at 8:29, Frank Bulk wrote:

> Thank for hosting that zone and breaking it again. =)
> There's only two zones that I know that are intentionally broken 
> (servfail.nl and www.dnssec-failed.org -- I'd love to have a few 
> more), but they provide at least some indication that our 
> customer-facing DNS resolvers are properly performing DNSsec 
> validation.
> Frank

We see quite a bit of DNSSEC traffic that is “broken” but seems to 
be intentionally non-operational. Intentionally broken DNSSEC is by far 
the largest source of DNSSEC failure traffic we see on our resolvers (we 
perform strict validation on but not on

Since there was a request for some additional broken domains, here are a 
few that we see frequently:

  Domains that seem to be “intentionally” broken in a programmatic 
way that appears to be testing:


  Fixed addresses that come up quite often which seem to be intentional:


Of course, there are many domains that consistently fail DNSSEC lookups 
which give no indication via the name that it is intentional.


More information about the dns-operations mailing list