[dns-operations] Quad9 DNSSEC Validation?

Winfried Angele abang at t-ipnet.net
Sun Feb 28 07:51:54 UTC 2021



Am 27. Februar 2021 21:54:20 MEZ schrieb Scott Morizot <tmorizot at gmail.com>:
>I submitted a report through their interface, but I was curious if
>anyone
>had noticed other oddities about Quad9's operational implementation of
>DNSSEC validation. I happened to notice today that their service
>resolved
>the test subzone I've had set up for the past decade to test DNSSEC
>validation. (The failure is straightforward. The DS record in irs.gov
>does
>not match any of the DNSKEY records in the dnssec-failed.irs.gov RRSet
>and
>thus fails to match the DNSKEY RRSIG.)
>
>Resolution fails as expected on our recursive infrastructure.
>Resolution
>fails through my personal Internet ISP's recursive nameservers
>(Suddenlink)
>which are also validating. And 8.8.8.8 and 1.1.1.1 return the expected
>SERVFAIL. But 9.9.9.9 does not.

I guess they've turned off validation for irs.gov because of a former failure. Maybe this one? https://dnsviz.net/d/irs.gov/XqOruQ/dnssec/?no_js=1




More information about the dns-operations mailing list