[dns-operations] Quad9 DNSSEC Validation?

Winfried Angele abang at t-ipnet.net
Mon Mar 1 09:25:38 UTC 2021


On 01.03.21 09:12, Petr Špaček wrote:
> On 28. 02. 21 9:39, Florian Weimer wrote:
>> * Winfried Angele:
>>
>>> I guess they've turned off validation for irs.gov because of a
>>> former failure.
>>
>> I think it goes beyond that.  It extends to GOV and MIL as a whole, it
>> seems.
> 
> In my experience negative trust anchors for big parts of MIL and/or GOV 
> are way more common, let's not pick specifically on Quad9. For periods 
> of time I have seen with other big resolver operators as well.
> 
> IMHO resolver market economics are going against DNSSEC security. If 
> resolution does not work on one operator people routinely switch to 
> other where it "works", either because they do not validate at all, or 
> because their ops team already added negative trust anchor.
> 
> The only way to fix this is mutual agreement among operators to stop 
> working around someone else's mistakes.
> 
> Are there operators willing to participate in such effort?
> 

 From our experience, it is very rare that a workaround is really 
necessary. In such cases we try to inform the responsible persons with a 
few mails. This is often successful and the workaround can be quickly 
removed. I agree for cases where the responsible persons don't 
care/don't respond.

Winfried Angele, DT



More information about the dns-operations mailing list