[dns-operations] Quad9 DNSSEC Validation?
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Mar 1 22:10:29 UTC 2021
On Mon, Mar 01, 2021 at 09:12:38AM +0100, Petr Špaček wrote:
> In my experience negative trust anchors for big parts of MIL and/or GOV
> are way more common, let's not pick specifically on Quad9. For periods
> of time I have seen with other big resolver operators as well.
The situation has improved over time. Presently, only 4 .mil domains
with published DS records (out of 260 I know of that resolve at all,
i.e. aren't just down even absent DNSSEC) have DNSSEC-related issues:
- dcmsa.mil https://dnsviz.net/d/dcmsa.mil/YD1Yjw/dnssec/
- vaccines.mil https://dnsviz.net/d/vaccines.mil/YDZrUw/dnssec/
- smallpox.mil https://dnsviz.net/d/smallpox.mil/YDZloA/dnssec/
- anthrax.mil https://dnsviz.net/d/anthrax.mil/YDZrMw/dnssec/
On the .gov side, just 10 of 1239 domains fail to return validated
DNSKEY RRsets (with rounded number of weeks duration):
weeks | domain
-------+----------------------------
148 | clinicaltrial.gov
148 | fruitsandveggiesmatter.gov
148 | gatrees.gov
148 | uscapitolpolice.gov
117 | adf.gov
93 | greengov.gov
93 | relocatefeds.gov
32 | theftaz.gov
17 | qatesttwai.gov
13 | eureka-mt.gov
--
Viktor.
More information about the dns-operations
mailing list