[dns-operations] Quad9 DNSSEC Validation?

Scott Morizot tmorizot at gmail.com
Sun Feb 28 18:09:59 UTC 2021

I have gone back and read Quad9's description of their service offering.


Their own public description of their service to people who might decide to
employ it clearly indicates that their secure services perform and enforce
DNSSEC validation.

That is, at best, a misleading description if not outright false.
The service does not properly implement DNSSEC validation according to the
DNSSEC protocol standards. Moreover, they have not even properly complied
with the informational RFC on negative trust anchors, RFC7646.


First, it is supposed to be temporary and domain name specific. In fact,
the informational RFC states that technical personnel should ensure it is
due to a misconfiguration and not the sort of attack DNSSEC is intended to
prevent and that they should make every reasonable attempt to contact the
domain owner.

Instead, Quad9 has silently disabled DNSSEC validation for effectively the
entire United States Federal Government, civilian and military, without
prominently publishing a notice to that effect in its service description.
If citizens of the US are selecting a "secure" DNS service, they should be
so informed. It is frankly, not just a lack of transparency. It is
dishonest and misleading.

It's their service and they can do whatever they like. But they need to
tell the people using it the truth about the service they are, in fact,


On Sun, Feb 28, 2021 at 6:52 AM Scott Morizot <tmorizot at gmail.com> wrote:

> On Sun, Feb 28, 2021 at 3:17 AM Bill Woodcock <woody at pch.net> wrote:
>> Your experiment is not distributing malware through .GOV or .MIL,
>> therefore you have no reasonable expectation that we, our donors, and our
>> users should absorb the externalized costs of your experiment.
> I beg your pardon. I am the DNS Architect for the Internal Revenue Service
> in the Department of Treasury in the US Federal Government. I was not
> running an experiment. We have had DNSSEC signing for public zones in place
> since 2011, DNSSEC validation at the perimeter of our recursive
> infrastructure for all Internet queries, including those for our own public
> zones, in place since 2012. We have had DNSSEC validation enabled
> throughout our internal enterprise recursive infrastructure since 2015 and
> at this juncture have most of our enterprise authoritative DNS DNSSEC
> signed as well.
> I asked about Quad9 because your publicly posted information asserts you
> enforce DNSSEC validation. No exceptions are publicly documented yet it
> appeared that validation was disabled for our primary production second
> level domain. I was asking if anyone knew why since it appeared Quad9 did
> enforce DNSSEC validation on other zones like comcast.net.
> It did not occur to me that the Quad9 service had disabled DNSSEC
> validation for the entire .gov and .mil gTLDs. That definitely needs to be
> part of your public documentation. Your service DNSSEC validates the parts
> of Internet DNS you feel like validating.
> Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210228/b03d8cdc/attachment.html>

More information about the dns-operations mailing list