[dns-operations] Quad9 DNSSEC Validation?
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Mar 1 23:28:04 UTC 2021
On Mon, Mar 01, 2021 at 02:40:38PM -0800, Brian Dickson wrote:
> > On the .gov side, just 10 of 1239 domains fail to return validated
> > DNSKEY RRsets (with rounded number of weeks duration):
> >
> > weeks | domain
> > -------+----------------------------
>
> > 148 | uscapitolpolice.gov
>
> Just an observation, in terms of real world implications of DNSSEC
> validation failures:
>
> I hope this wasn't in any way a contributing factor in the 2021-01-06
> events/response.
I hope so too. I would expect that any real-time incident coordination,
was happening over other channels, but I did notice the irony of this
being one of the domains where operational discipline has been long
neglected.
In a similar vein, nationalmall.gov is also broken, but here, none of
the names listed in the NS RR from the parent exist, so the zone is
simply lame.
https://dnsviz.net/d/nationalmall.gov/YD0BkA/dnssec/
--
Viktor.
More information about the dns-operations
mailing list