[dns-operations] Quad9 DNSSEC Validation?
Petr Špaček
pspacek at isc.org
Mon Mar 1 08:12:38 UTC 2021
On 28. 02. 21 9:39, Florian Weimer wrote:
> * Winfried Angele:
>
>> I guess they've turned off validation for irs.gov because of a
>> former failure.
>
> I think it goes beyond that. It extends to GOV and MIL as a whole, it
> seems.
In my experience negative trust anchors for big parts of MIL and/or GOV
are way more common, let's not pick specifically on Quad9. For periods
of time I have seen with other big resolver operators as well.
IMHO resolver market economics are going against DNSSEC security. If
resolution does not work on one operator people routinely switch to
other where it "works", either because they do not validate at all, or
because their ops team already added negative trust anchor.
The only way to fix this is mutual agreement among operators to stop
working around someone else's mistakes.
Are there operators willing to participate in such effort?
--
Petr Špaček @ ISC
More information about the dns-operations
mailing list