[dns-operations] google DNS doing validation?

frnkblk at iname.com frnkblk at iname.com
Sun Jul 29 01:37:51 UTC 2018


Thanks, this is now my current list of fixed addresses that have
intentionally broken DNSsec records:
www.dnssec-failed.org
www.servfail.nl
servfail.sidnlabs.nl
rhybar.cz
broken.dnssec.ee
bogus.ripe-hackathon2.nlnetlabs.nl
prefetch.validatorsearch.verisignlabs.com
test-ns.bogus.internet.nl
trasigdnssec.se
bad.dnssec-or-not.com

Frank

-----Original Message-----
From: John Todd <jtodd at quad9.net> 
Sent: Friday, July 27, 2018 11:53 AM
To: Frank Bulk <frnkblk at iname.com>
Cc: dns-operations at dns-oarc.net
Subject: Re: [dns-operations] google DNS doing validation?

On 26 Jul 2018, at 8:29, Frank Bulk wrote:

> Thank for hosting that zone and breaking it again. =)
>
> There's only two zones that I know that are intentionally broken 
> (servfail.nl and www.dnssec-failed.org -- I'd love to have a few 
> more), but they provide at least some indication that our 
> customer-facing DNS resolvers are properly performing DNSsec 
> validation.
>
> Frank
[snip]

We see quite a bit of DNSSEC traffic that is "broken" but seems to 
be intentionally non-operational. Intentionally broken DNSSEC is by far 
the largest source of DNSSEC failure traffic we see on our resolvers (we 
perform strict validation on 9.9.9.9/2620:fe::fe but not on 
9.9.9.10/2620:fe::10)

Since there was a request for some additional broken domains, here are a 
few that we see frequently:

  Domains that seem to be "intentionally" broken in a programmatic 
way that appears to be testing:

  bogus.[string].rootcanary.net
 
[string]-[string]-[string]-[string]-[string]-bogus-dnssec-bd.gexperiments3.c
om
  [string]-[string]-[string]-[string]-[string]-[string].lae.dotnxdomain.net


  Fixed addresses that come up quite often which seem to be intentional:

  bogus.ripe-hackathon2.nlnetlabs.nl
  prefetch.validatorsearch.verisignlabs.com
  test-ns.bogus.internet.nl
  dnssec-failed.org
  trasigdnssec.se
  bad.dnssec-or-not.com


Of course, there are many domains that consistently fail DNSSEC lookups 
which give no indication via the name that it is intentional.

JT





More information about the dns-operations mailing list