[dns-operations] DNSSEC quality by TLD
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu May 17 15:02:07 UTC 2018
> On May 17, 2018, at 10:22 AM, John Levine <johnl at taugh.com> wrote:
>
> If those numbers are correct, they're really pitiful. Bank is
> supposed to be a super secure TLD, careful checking of registrants
> to be sure they're real banks, and every delegation is signed.
>
> I checked, the current zone file has DS for every NS. How are
> they broken?
Of the 1347 delegations that are failing, 1314 are REFUSED by:
120.29.252.106 dns1.encirca.us
120.29.254.106 dns2.encirca.us
So these are presumably parked and not maintained. The rest are
more diverse, with a bad key roll at e.g.:
http://dnsviz.net/d/meine.bank/dnssec/
http://dnsviz.net/d/poalim.bank/dnssec/
http://dnsviz.net/d/sparkasse.bank/dnssec/
http://dnsviz.net/d/rlb.bank/dnssec/
--
Viktor.
More information about the dns-operations
mailing list