[dns-operations] Quad9 DNSSEC Validation?

Petr Špaček pspacek at isc.org
Mon Mar 1 08:12:38 UTC 2021

On 28. 02. 21 9:39, Florian Weimer wrote:
> * Winfried Angele:
>> I guess they've turned off validation for irs.gov because of a
>> former failure.
> I think it goes beyond that.  It extends to GOV and MIL as a whole, it
> seems.

In my experience negative trust anchors for big parts of MIL and/or GOV 
are way more common, let's not pick specifically on Quad9. For periods 
of time I have seen with other big resolver operators as well.

IMHO resolver market economics are going against DNSSEC security. If 
resolution does not work on one operator people routinely switch to 
other where it "works", either because they do not validate at all, or 
because their ops team already added negative trust anchor.

The only way to fix this is mutual agreement among operators to stop 
working around someone else's mistakes.

Are there operators willing to participate in such effort?

Petr Špaček  @  ISC

More information about the dns-operations mailing list