[dns-operations] Quad9 DNSSEC Validation?

Sun Feb 28 12:41:39 UTC 2021

On Sun, Feb 28, 2021 at 2:44 AM Florian Weimer <fw at deneb.enyo.de> wrote:

> * Winfried Angele:
>
> > I guess they've turned off validation for irs.gov because of a
> > former failure.
>
> I think it goes beyond that.  It extends to GOV and MIL as a whole, it
> seems.
>
>
Interesting. It didn't occur to me to check that. It appears you are
correct.

Their website should certainly document that they have such a huge
exception in place for two major US gTLDs in their DNSSEC validation
implementation.

If it is documented somewhere, I couldn't find it.

C:\>dig @9.9.9.9 gov. ns +dnssec +adflag

; <<>> DiG 9.12.1-P2 <<>> @9.9.9.9 gov. ns +dnssec +adflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49356
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;gov.                           IN      NS

;; ANSWER SECTION:
gov.                    43200   IN      NS      a.gov-servers.net.
gov.                    43200   IN      NS      c.gov-servers.net.
gov.                    43200   IN      NS      b.gov-servers.net.
gov.                    43200   IN      NS      d.gov-servers.net.
gov.                    43200   IN      RRSIG   NS 8 1 172800
20210307111009 20210228111009 27306 gov.
Hsn0bfePCVgL89MzbJLO+qWeVS8UyBhTsI8ZkiM0L3Bd4Ts94b5Lr+b6
1mmRBggNq60YNmNNr0T6pWYgiXvkHNFiMAkOWsWnBhF78bFhvZZzWUWU
ajD3Jcwj9iYK2OiL+ee3Qk1U0iBIAcoAkB7xD8Ffk0wzzak3Ly/Q6M3s
Y/cjCmsI5ts6KtCxZoE3vrqZVyRaqAVQdsyJDZx7HCsjig==

;; Query time: 57 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sun Feb 28 06:39:33 Central Standard Time 2021
;; MSG SIZE  rcvd: 306

C:\>dig @9.9.9.9 mil. ns +dnssec +adflag

; <<>> DiG 9.12.1-P2 <<>> @9.9.9.9 mil. ns +dnssec +adflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7742
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;mil.                           IN      NS

;; ANSWER SECTION:
mil.                    19475   IN      NS      CON2.NIPR.mil.
mil.                    19475   IN      NS      EUR1.NIPR.mil.
mil.                    19475   IN      NS      PAC1.NIPR.mil.
mil.                    19475   IN      NS      CON1.NIPR.mil.
mil.                    19475   IN      NS      PAC2.NIPR.mil.
mil.                    19475   IN      NS      EUR2.NIPR.mil.
mil.                    19475   IN      RRSIG   NS 8 1 21600 20210305172406
20210226172406 19128 mil.
xgAGFEuR9fgkV3LFYwkVgES3PzZOJan/Rnxz3eK9UJIf87Hvr3b8/6G4
Wk8Bc+3amLOZYEt483hU3ONJKa+gY4Mb4i7jCc1otvyOxF0eCWMTLN6V
9ZBKK5sLJm5GSYblD+MWS5Ko6DiwbGhR6u4PatEzrXhUrLITiSjQjLJH 1rQ=

;; Query time: 59 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Sun Feb 28 06:39:43 Central Standard Time 2021
;; MSG SIZE  rcvd: 314
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210228/d1566432/attachment.html>