[dns-operations] Quad9 DNSSEC Validation?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 1 22:10:29 UTC 2021


On Mon, Mar 01, 2021 at 09:12:38AM +0100, Petr Špaček wrote:

> In my experience negative trust anchors for big parts of MIL and/or GOV 
> are way more common, let's not pick specifically on Quad9. For periods 
> of time I have seen with other big resolver operators as well.

The situation has improved over time.  Presently, only 4 .mil domains
with published DS records (out of 260 I know of that resolve at all,
i.e. aren't just down even absent DNSSEC) have DNSSEC-related issues:

    - dcmsa.mil         https://dnsviz.net/d/dcmsa.mil/YD1Yjw/dnssec/
    - vaccines.mil      https://dnsviz.net/d/vaccines.mil/YDZrUw/dnssec/
    - smallpox.mil      https://dnsviz.net/d/smallpox.mil/YDZloA/dnssec/
    - anthrax.mil       https://dnsviz.net/d/anthrax.mil/YDZrMw/dnssec/

On the .gov side, just 10 of 1239 domains fail to return validated
DNSKEY RRsets (with rounded number of weeks duration):

    weeks |           domain           
   -------+----------------------------
      148 | clinicaltrial.gov
      148 | fruitsandveggiesmatter.gov
      148 | gatrees.gov
      148 | uscapitolpolice.gov
      117 | adf.gov
       93 | greengov.gov
       93 | relocatefeds.gov
       32 | theftaz.gov
       17 | qatesttwai.gov
       13 | eureka-mt.gov

-- 
    Viktor.


More information about the dns-operations mailing list