[dns-operations] Quad9 DNSSEC Validation?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 1 22:19:51 UTC 2021

On Mon, Mar 01, 2021 at 10:40:39PM +0100, Bill Woodcock wrote:

> > FYI, if you're interested in looking at hard facts, I'll direct your
> > attention to Viktor and my stats page that specifically looks for
> > percentage of working domains within TLDS.  If you go to
> > https://stats.dnssec-tools.org/ and look at the TLD graphs tab at the
> > bottom, you can compare each TLD along with its history of success in
> > DNSSEC valid subdomains.
> The critical question is where you get the list of subdomains.  It’s
> easy to put together a list of short subdomains that validate.  It’s
> the long ones that get problematic.

By "long ones", do you mean deeper inside the delegated zones?  For
example, names that are incorrectly internally delegated to DNS
load-balancers that fail to do EDNS correctly (let alone DNSSEC), and
yet the delegation is signed?  (There was a recent thread about one such
case on this list).

If so, then indeed we don't collect data on domains deeper down the
tree.  We stop at the immediate child of a PSL suffix (TLD or other
delegation-mostly 2LD or 3LD), and then have visibility into just
the validation of zone-apex DNSKEY and MX records plus for each
MX host, A, AAAA and TLSA records.  If there are issues with
load-balanced or outsourced HTTP services, those are not observed.


More information about the dns-operations mailing list