[dns-operations] Quad9 DNSSEC Validation?

Scott Morizot tmorizot at gmail.com
Sun Feb 28 12:52:45 UTC 2021

On Sun, Feb 28, 2021 at 3:17 AM Bill Woodcock <woody at pch.net> wrote:

> Your experiment is not distributing malware through .GOV or .MIL,
> therefore you have no reasonable expectation that we, our donors, and our
> users should absorb the externalized costs of your experiment.
I beg your pardon. I am the DNS Architect for the Internal Revenue Service
in the Department of Treasury in the US Federal Government. I was not
running an experiment. We have had DNSSEC signing for public zones in place
since 2011, DNSSEC validation at the perimeter of our recursive
infrastructure for all Internet queries, including those for our own public
zones, in place since 2012. We have had DNSSEC validation enabled
throughout our internal enterprise recursive infrastructure since 2015 and
at this juncture have most of our enterprise authoritative DNS DNSSEC
signed as well.

I asked about Quad9 because your publicly posted information asserts you
enforce DNSSEC validation. No exceptions are publicly documented yet it
appeared that validation was disabled for our primary production second
level domain. I was asking if anyone knew why since it appeared Quad9 did
enforce DNSSEC validation on other zones like comcast.net.

It did not occur to me that the Quad9 service had disabled DNSSEC
validation for the entire .gov and .mil gTLDs. That definitely needs to be
part of your public documentation. Your service DNSSEC validates the parts
of Internet DNS you feel like validating.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210228/31c81130/attachment.html>

More information about the dns-operations mailing list