[dns-operations] google DNS doing validation?
John Todd
jtodd at quad9.net
Fri Jul 27 16:53:11 UTC 2018
On 26 Jul 2018, at 8:29, Frank Bulk wrote:
> Thank for hosting that zone and breaking it again. =)
>
> There's only two zones that I know that are intentionally broken
> (servfail.nl and www.dnssec-failed.org -- I'd love to have a few
> more), but they provide at least some indication that our
> customer-facing DNS resolvers are properly performing DNSsec
> validation.
>
> Frank
[snip]
We see quite a bit of DNSSEC traffic that is “broken” but seems to
be intentionally non-operational. Intentionally broken DNSSEC is by far
the largest source of DNSSEC failure traffic we see on our resolvers (we
perform strict validation on 9.9.9.9/2620:fe::fe but not on
9.9.9.10/2620:fe::10)
Since there was a request for some additional broken domains, here are a
few that we see frequently:
Domains that seem to be “intentionally” broken in a programmatic
way that appears to be testing:
bogus.[string].rootcanary.net
[string]-[string]-[string]-[string]-[string]-bogus-dnssec-bd.gexperiments3.com
[string]-[string]-[string]-[string]-[string]-[string].lae.dotnxdomain.net
Fixed addresses that come up quite often which seem to be intentional:
bogus.ripe-hackathon2.nlnetlabs.nl
prefetch.validatorsearch.verisignlabs.com
test-ns.bogus.internet.nl
dnssec-failed.org
trasigdnssec.se
bad.dnssec-or-not.com
Of course, there are many domains that consistently fail DNSSEC lookups
which give no indication via the name that it is intentional.
JT
More information about the dns-operations
mailing list