[dns-operations] Quad9 DNSSEC Validation?

[Scott Morizot]

On Mon, Mar 1, 2021 at 7:26 AM Jim Popovitch via dns-operations <
dns-operations at dns-oarc.net> wrote:

> Over on the email side, I know of several instances in the past 5+ years
> where email providers have had to disable TLS and/or DANE/DNSSEC checks
> (i.e. postfix's smtp_tls_policy_maps) for .mil and .gov domains due
> mostly in part for poor key rollover management practives/monitoring.
>

Disabling SMTP opportunistic TLS is a bit different since the standard
fallback should be plain text SMTP anyway. I know our email people have a
number of domains (mostly in the .gov space) where TLS is not opportunistic
but enforced. The agencies that do that likely manage their SMTP
certificates, however they are provided, more stringently.

It's unclear from your phrasing, though, if they disabled SMTP TLS for
specific domains under .gov or .mil or for both entire gTLDs. The latter
would seem like an overreaction and downgrading security where there was no
identified operational need.

In either instance, it's not the same as a public service advertising a
particular set of features to those who decide to consume it and then
silently excluding large swaths of the Internet from one of those
advertised security features. That's what I pointed out. If Quad9 updated
the description of their service to accurately state the service they in
fact provide, I wouldn't have an issue. I wouldn't have even asked about it
publicly. Those who then chose to consume that service would have made an
informed choice about the service they are consuming.

Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210301/4f010ca8/attachment.html>