[dns-operations] Quad9 DNSSEC Validation?
Scott Morizot
tmorizot at gmail.com
Sun Feb 28 12:41:39 UTC 2021
On Sun, Feb 28, 2021 at 2:44 AM Florian Weimer <fw at deneb.enyo.de> wrote:
> * Winfried Angele:
>
> > I guess they've turned off validation for irs.gov because of a
> > former failure.
>
> I think it goes beyond that. It extends to GOV and MIL as a whole, it
> seems.
>
>
Interesting. It didn't occur to me to check that. It appears you are
correct.
Their website should certainly document that they have such a huge
exception in place for two major US gTLDs in their DNSSEC validation
implementation.
If it is documented somewhere, I couldn't find it.
C:\>dig @9.9.9.9 gov. ns +dnssec +adflag
; <<>> DiG 9.12.1-P2 <<>> @9.9.9.9 gov. ns +dnssec +adflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49356
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;gov. IN NS
;; ANSWER SECTION:
gov. 43200 IN NS a.gov-servers.net.
gov. 43200 IN NS c.gov-servers.net.
gov. 43200 IN NS b.gov-servers.net.
gov. 43200 IN NS d.gov-servers.net.
gov. 43200 IN RRSIG NS 8 1 172800
20210307111009 20210228111009 27306 gov.
Hsn0bfePCVgL89MzbJLO+qWeVS8UyBhTsI8ZkiM0L3Bd4Ts94b5Lr+b6
1mmRBggNq60YNmNNr0T6pWYgiXvkHNFiMAkOWsWnBhF78bFhvZZzWUWU
ajD3Jcwj9iYK2OiL+ee3Qk1U0iBIAcoAkB7xD8Ffk0wzzak3Ly/Q6M3s
Y/cjCmsI5ts6KtCxZoE3vrqZVyRaqAVQdsyJDZx7HCsjig==
;; Query time: 57 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sun Feb 28 06:39:33 Central Standard Time 2021
;; MSG SIZE rcvd: 306
C:\>dig @9.9.9.9 mil. ns +dnssec +adflag
; <<>> DiG 9.12.1-P2 <<>> @9.9.9.9 mil. ns +dnssec +adflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7742
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;mil. IN NS
;; ANSWER SECTION:
mil. 19475 IN NS CON2.NIPR.mil.
mil. 19475 IN NS EUR1.NIPR.mil.
mil. 19475 IN NS PAC1.NIPR.mil.
mil. 19475 IN NS CON1.NIPR.mil.
mil. 19475 IN NS PAC2.NIPR.mil.
mil. 19475 IN NS EUR2.NIPR.mil.
mil. 19475 IN RRSIG NS 8 1 21600 20210305172406
20210226172406 19128 mil.
xgAGFEuR9fgkV3LFYwkVgES3PzZOJan/Rnxz3eK9UJIf87Hvr3b8/6G4
Wk8Bc+3amLOZYEt483hU3ONJKa+gY4Mb4i7jCc1otvyOxF0eCWMTLN6V
9ZBKK5sLJm5GSYblD+MWS5Ko6DiwbGhR6u4PatEzrXhUrLITiSjQjLJH 1rQ=
;; Query time: 59 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sun Feb 28 06:39:43 Central Standard Time 2021
;; MSG SIZE rcvd: 314
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210228/d1566432/attachment.html>
More information about the dns-operations
mailing list