[dns-operations] Quad9 DNSSEC Validation?
abang at t-ipnet.net
Sun Feb 28 07:51:54 UTC 2021
Am 27. Februar 2021 21:54:20 MEZ schrieb Scott Morizot <tmorizot at gmail.com>:
>I submitted a report through their interface, but I was curious if
>had noticed other oddities about Quad9's operational implementation of
>DNSSEC validation. I happened to notice today that their service
>the test subzone I've had set up for the past decade to test DNSSEC
>validation. (The failure is straightforward. The DS record in irs.gov
>not match any of the DNSKEY records in the dnssec-failed.irs.gov RRSet
>thus fails to match the DNSKEY RRSIG.)
>Resolution fails as expected on our recursive infrastructure.
>fails through my personal Internet ISP's recursive nameservers
>which are also validating. And 126.96.36.199 and 188.8.131.52 return the expected
>SERVFAIL. But 184.108.40.206 does not.
I guess they've turned off validation for irs.gov because of a former failure. Maybe this one? https://dnsviz.net/d/irs.gov/XqOruQ/dnssec/?no_js=1
More information about the dns-operations