[dns-operations] Quad9 DNSSEC Validation?
Winfried Angele
abang at t-ipnet.net
Mon Mar 1 09:25:38 UTC 2021
On 01.03.21 09:12, Petr Špaček wrote:
> On 28. 02. 21 9:39, Florian Weimer wrote:
>> * Winfried Angele:
>>
>>> I guess they've turned off validation for irs.gov because of a
>>> former failure.
>>
>> I think it goes beyond that. It extends to GOV and MIL as a whole, it
>> seems.
>
> In my experience negative trust anchors for big parts of MIL and/or GOV
> are way more common, let's not pick specifically on Quad9. For periods
> of time I have seen with other big resolver operators as well.
>
> IMHO resolver market economics are going against DNSSEC security. If
> resolution does not work on one operator people routinely switch to
> other where it "works", either because they do not validate at all, or
> because their ops team already added negative trust anchor.
>
> The only way to fix this is mutual agreement among operators to stop
> working around someone else's mistakes.
>
> Are there operators willing to participate in such effort?
>
From our experience, it is very rare that a workaround is really
necessary. In such cases we try to inform the responsible persons with a
few mails. This is often successful and the workaround can be quickly
removed. I agree for cases where the responsible persons don't
care/don't respond.
Winfried Angele, DT
More information about the dns-operations
mailing list