[dns-operations] Quad9 DNSSEC Validation?
ietf-dane at dukhovni.org
Mon Mar 1 22:19:51 UTC 2021
On Mon, Mar 01, 2021 at 10:40:39PM +0100, Bill Woodcock wrote:
> > FYI, if you're interested in looking at hard facts, I'll direct your
> > attention to Viktor and my stats page that specifically looks for
> > percentage of working domains within TLDS. If you go to
> > https://stats.dnssec-tools.org/ and look at the TLD graphs tab at the
> > bottom, you can compare each TLD along with its history of success in
> > DNSSEC valid subdomains.
> The critical question is where you get the list of subdomains. It’s
> easy to put together a list of short subdomains that validate. It’s
> the long ones that get problematic.
By "long ones", do you mean deeper inside the delegated zones? For
example, names that are incorrectly internally delegated to DNS
load-balancers that fail to do EDNS correctly (let alone DNSSEC), and
yet the delegation is signed? (There was a recent thread about one such
case on this list).
If so, then indeed we don't collect data on domains deeper down the
tree. We stop at the immediate child of a PSL suffix (TLD or other
delegation-mostly 2LD or 3LD), and then have visibility into just
the validation of zone-apex DNSKEY and MX records plus for each
MX host, A, AAAA and TLSA records. If there are issues with
load-balanced or outsourced HTTP services, those are not observed.
More information about the dns-operations