[dns-operations] Quad9 DNSSEC Validation?

[Scott Morizot]

On Mon, Mar 1, 2021 at 2:21 AM Petr Špaček <pspacek at isc.org> wrote:

> In my experience negative trust anchors for big parts of MIL and/or GOV
> are way more common, let's not pick specifically on Quad9. For periods
> of time I have seen with other big resolver operators as well.
>
>
That's an interesting assertion. Do you have any data to support it? I
checked validation of our zone through all major providers whose
nameservers I could access that advertise DNSSEC validation including my
own personal, residential ISP. They all responded with the AD flag in
queries for irs.gov. And they all returned SERVFAIL for queries for the
test subzone I have had in place for a decade but did return a response for
that test zone with the CD flag enabled. Quad9 is the only one I could find
that advertises they perform DNSSEC validation in their public
documentation for a service provided to the general public but who have
silently and without notice disabled all such validation for the entire
.gov and .mil gTLDs.

If you know of another such public recursive DNS service doing the same,
please share that.

And it is the failure to provide any notice to the consumers of their
service that I see as a problem. I did read the description of their
service before I ever asked any questions about it. Had it included a
notice that they disable DNSSEC validation for all of .gov and .mil I
wouldn't have asked. I would have had my answer. It's the lack of
transparency that's a problem.

Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210301/49dcf4f3/attachment.html>