[dns-operations] google DNS doing validation?

frnkblk at iname.com frnkblk at iname.com
Sat Jul 28 04:39:48 UTC 2018



I don’t think those sites are all working as advertised … I took baddata-A.test.dnssec-tools.org out of my rotation over a year ago – see attached.  Let me know if I’ve got it wrong.




From: Matthew Pounsett <matt at conundrum.com> 
Sent: Friday, July 27, 2018 6:06 PM
To: Frank Bulk <frnkblk at iname.com>
Cc: Marco Davids (SIDN) <marco.davids at sidn.nl>; dns-operations <dns-operations at dns-oarc.net>
Subject: Re: [dns-operations] google DNS doing validation?




On 26 July 2018 at 11:29, Frank Bulk <frnkblk at iname.com <mailto:frnkblk at iname.com> > wrote:

Thank for hosting that zone and breaking it again. =)

There's only two zones that I know that are intentionally broken (servfail.nl <http://servfail.nl>  and www.dnssec-failed.org <http://www.dnssec-failed.org>  -- I'd love to have a few more), but they provide at least some indication that our customer-facing DNS resolvers are properly performing DNSsec validation. 


Do you need a whole broken zone?  There's test.dnssec-tools.org <http://test.dnssec-tools.org>  which has dozens records all carefully broken in different ways, including some subzones in order to test certain types of breakage which are zone-specific (e.g. NSEC breakage vs. NSEC3 breakage).





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180727/af56461c/attachment.html>
-------------- next part --------------
An embedded message was scrubbed...
From: "Frank Bulk" <frnkblk at iname.com>
Subject: RE: DNSSEC baddata shouldn't be succeeding
Date: Fri, 28 Apr 2017 16:03:47 -0500
Size: 6984
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180727/af56461c/attachment.mht>

More information about the dns-operations mailing list