[dns-operations] Quad9 DNSSEC Validation?

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Mar 1 23:28:04 UTC 2021


On Mon, Mar 01, 2021 at 02:40:38PM -0800, Brian Dickson wrote:

> > On the .gov side, just 10 of 1239 domains fail to return validated
> > DNSKEY RRsets (with rounded number of weeks duration):
> >
> >     weeks |           domain
> >    -------+----------------------------
> 
> >       148 | uscapitolpolice.gov
> 
> Just an observation, in terms of real world implications of DNSSEC
> validation failures:
> 
> I hope this wasn't in any way a contributing factor in the 2021-01-06
> events/response.

I hope so too.  I would expect that any real-time incident coordination,
was happening over other channels, but I did notice the irony of this
being one of the domains where operational discipline has been long
neglected.

In a similar vein, nationalmall.gov is also broken, but here, none of
the names listed in the NS RR from the parent exist, so the zone is
simply lame.

    https://dnsviz.net/d/nationalmall.gov/YD0BkA/dnssec/

-- 
    Viktor.


More information about the dns-operations mailing list