[dns-operations] Quad9 DNSSEC Validation?

Bill Woodcock woody at pch.net
Mon Mar 1 09:24:53 UTC 2021



> On Mar 1, 2021, at 9:12 AM, Petr Špaček <pspacek at isc.org> wrote:
> In my experience negative trust anchors for big parts of MIL and/or GOV are way more common, let's not pick specifically on Quad9. For periods of time I have seen with other big resolver operators as well.
> IMHO resolver market economics are going against DNSSEC security. If resolution does not work on one operator people routinely switch to other where it "works", either because they do not validate at all, or because their ops team already added negative trust anchor.
> The only way to fix this is mutual agreement among operators to stop working around someone else's mistakes.

Yep, exactly.

> Are there operators willing to participate in such effort?

We’ve been pushing for it for several years without gaining traction yet.  We’d very much like others to come to the table.

I spent a bunch of time talking with John Todd, our General Manager, about this last night, and he’s writing up a more official Quad9 response to this thread.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210301/5fe11525/attachment.sig>


More information about the dns-operations mailing list