[dns-operations] google DNS doing validation?
dwessels at verisign.com
Fri Jul 27 18:16:33 UTC 2018
> On Jul 27, 2018, at 10:31 AM, Warren Kumari <warren at kumari.net> wrote:
> On Fri, Jul 27, 2018 at 1:03 PM John Todd <jtodd at quad9.net> wrote:
>> On 26 Jul 2018, at 8:29, Frank Bulk wrote:
>>> Thank for hosting that zone and breaking it again. =)
>>> There's only two zones that I know that are intentionally broken
>>> (servfail.nl and www.dnssec-failed.org -- I'd love to have a few
>>> more), but they provide at least some indication that our
>>> customer-facing DNS resolvers are properly performing DNSsec
>> We see quite a bit of DNSSEC traffic that is “broken” but seems to
>> be intentionally non-operational. Intentionally broken DNSSEC is by far
>> the largest source of DNSSEC failure traffic we see on our resolvers (we
>> perform strict validation on 188.8.131.52/2620:fe::fe but not on
>> Since there was a request for some additional broken domains, here are a
>> few that we see frequently:
>> Domains that seem to be “intentionally” broken in a programmatic
>> way that appears to be testing:
>> Fixed addresses that come up quite often which seem to be intentional:
>> Of course, there are many domains that consistently fail DNSSEC lookups
>> which give no indication via the name that it is intentional.
> Perhaps it would be useful to have a *convention* where people include
> a string making it clear that this was intentional.
> I have 'invalid.ksk-test.net' as an intentionally invalid name, but
> from looking at the above, it seems that 'bogus' is more common.
> It's actually somewhat annoying to keep a name bogus / invalid --
> every time I make a change to ksk-test.net I resign it, and my invalid
> record becomes valid. I then edit the signed zone file and monkey with
> the signature to make it invalid again.
> I also want to serve ksk-test.net over TLS, including web resources
> from www.ksk-test.net and invalid.ksk-test.net. The obvious solution
> is LetsEncrypt with either multiple names in the SAN, or a wildcard.
> LE does DNSSEC validation, and so will not issue for
> invalid.ksk-test.net, so I figure I'll do a wildcard. This involves a
> DNS challenge, which the Certbot utility does using dynamic updates --
> which resignes the zone and makes 'invalid' be valid again :-). Yes,
> this could be fixed, but it will require redoing whenever certificate
> renewal happens....
> : Yup, I could / should write a script to automate this (probably
> by passing the signed zone through sed and awk) but I always figure
> I've touched the zone for the last time and that it isn't worth the 15
> minutes it will take to do so...
Yes you should!
I'm proud to say that I've earned the "cream of the crop" award  from ianix.com with 4.5 years continuous downtime of validatorsearch.verisignlabs.com!
 See the very bottom of https://ianix.com/pub/dnssec-outages.html
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4675 bytes
Desc: not available
More information about the dns-operations