<div dir="ltr">I submitted a report through their interface, but I was curious if anyone had noticed other oddities about Quad9's operational implementation of DNSSEC validation. I happened to notice today that their service resolved the test subzone I've had set up for the past decade to test DNSSEC validation. (The failure is straightforward. The DS record in <a href="http://irs.gov">irs.gov</a> does not match any of the DNSKEY records in the <a href="http://dnssec-failed.irs.gov">dnssec-failed.irs.gov</a> RRSet and thus fails to match the DNSKEY RRSIG.)<div><br></div><div>Resolution fails as expected on our recursive infrastructure. Resolution fails through my personal Internet ISP's recursive nameservers (Suddenlink) which are also validating. And 8.8.8.8 and 1.1.1.1 return the expected SERVFAIL. But 9.9.9.9 does not.</div><div><br></div><div>C:\>dig @<a href="http://9.9.9.9">9.9.9.9</a> <a href="http://dnssec-failed.irs.gov">dnssec-failed.irs.gov</a> ns<br><br>; <<>> DiG 9.12.1-P2 <<>> @<a href="http://9.9.9.9">9.9.9.9</a> <a href="http://dnssec-failed.irs.gov">dnssec-failed.irs.gov</a> ns<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7807<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags:; udp: 1232<br>;; QUESTION SECTION:<br>;<a href="http://dnssec-failed.irs.gov">dnssec-failed.irs.gov</a>.         IN      NS<br><br>;; ANSWER SECTION:<br><a href="http://dnssec-failed.irs.gov">dnssec-failed.irs.gov</a>.  14400   IN      NS      <a href="http://ns5.irs.gov">ns5.irs.gov</a>.<br><a href="http://dnssec-failed.irs.gov">dnssec-failed.irs.gov</a>.  14400   IN      NS      <a href="http://ns6.irs.gov">ns6.irs.gov</a>.<br><a href="http://dnssec-failed.irs.gov">dnssec-failed.irs.gov</a>.  14400   IN      NS      <a href="http://ns1.irs.gov">ns1.irs.gov</a>.<br><a href="http://dnssec-failed.irs.gov">dnssec-failed.irs.gov</a>.  14400   IN      NS      <a href="http://ns2.irs.gov">ns2.irs.gov</a>.<br><a href="http://dnssec-failed.irs.gov">dnssec-failed.irs.gov</a>.  14400   IN      NS      <a href="http://ns3.irs.gov">ns3.irs.gov</a>.<br><a href="http://dnssec-failed.irs.gov">dnssec-failed.irs.gov</a>.  14400   IN      NS      <a href="http://ns4.irs.gov">ns4.irs.gov</a>.<br><br>;; Query time: 111 msec<br>;; SERVER: 9.9.9.9#53(9.9.9.9)<br>;; WHEN: Sat Feb 27 14:47:52 Central Standard Time 2021<br>;; MSG SIZE  rcvd: 158<br></div><div><br></div><div>When I set the adflag in the query for our second level domain, it's not set in the reply. It is set in replies for other zones like <a href="http://comcast.net">comcast.net</a>.</div><div><br></div><div>C:\>dig @<a href="http://9.9.9.9">9.9.9.9</a> <a href="http://irs.gov">irs.gov</a> ns +dnssec +adflag<br><br>; <<>> DiG 9.12.1-P2 <<>> @<a href="http://9.9.9.9">9.9.9.9</a> <a href="http://irs.gov">irs.gov</a> ns +dnssec +adflag<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9737<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 512<br>;; QUESTION SECTION:<br>;<a href="http://irs.gov">irs.gov</a>.                       IN      NS<br><br>;; ANSWER SECTION:<br><a href="http://irs.gov">irs.gov</a>.                7200    IN      NS      <a href="http://ns5.irs.gov">ns5.irs.gov</a>.<br><a href="http://irs.gov">irs.gov</a>.                7200    IN      NS      <a href="http://ns3.irs.gov">ns3.irs.gov</a>.<br><a href="http://irs.gov">irs.gov</a>.                7200    IN      NS      <a href="http://ns4.irs.gov">ns4.irs.gov</a>.<br><a href="http://irs.gov">irs.gov</a>.                7200    IN      NS      <a href="http://ns1.irs.gov">ns1.irs.gov</a>.<br><a href="http://irs.gov">irs.gov</a>.                7200    IN      NS      <a href="http://ns6.irs.gov">ns6.irs.gov</a>.<br><a href="http://irs.gov">irs.gov</a>.                7200    IN      NS      <a href="http://ns2.irs.gov">ns2.irs.gov</a>.<br><a href="http://irs.gov">irs.gov</a>.                7200    IN      RRSIG   NS 8 2 7200 20210306030006 20210227020006 14079 <a href="http://irs.gov">irs.gov</a>. UiKOASs3k/KJ7dom32117wBIyyQkXU7kk8cGqGyYw144+wczgIlPmx4V uCk6CeXjlVJqDUPokeecsYDGjIy97CLH2ov88HTscEwjBepQR/c/QqU0 BB3onjVmcFCBdwc0zJhTG3MM0dR5JvLcgxw6Jj3IjP1w8C0A6Lmstesg ojb6NOc97m50mzbUuNIHEnt1x2DZ7fTYMakQYFZLgHDCZmj8xFIlL5S3 mindmqVa8sRvaDEl5No2tQpACDnqOgIhUDie3dscMnVSM8f0avYisjkw S6GBynWLhHZGkkTcDlPKYuNqf2VRcZRdQTezLZyk4jG8DBhQSRNaTZj/ iqyeGw==<br><br>;; Query time: 111 msec<br>;; SERVER: 9.9.9.9#53(9.9.9.9)<br>;; WHEN: Sat Feb 27 14:47:45 Central Standard Time 2021<br>;; MSG SIZE  rcvd: 439<br></div><div><br></div><div>C:\>dig @<a href="http://9.9.9.9">9.9.9.9</a> <a href="http://comcast.net">comcast.net</a> ns +dnssec +adflag<br><br>; <<>> DiG 9.12.1-P2 <<>> @<a href="http://9.9.9.9">9.9.9.9</a> <a href="http://comcast.net">comcast.net</a> ns +dnssec +adflag<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40387<br>;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 512<br>;; QUESTION SECTION:<br>;<a href="http://comcast.net">comcast.net</a>.                   IN      NS<br><br>;; ANSWER SECTION:<br><a href="http://comcast.net">comcast.net</a>.            7200    IN      NS      <a href="http://dns101.comcast.net">dns101.comcast.net</a>.<br><a href="http://comcast.net">comcast.net</a>.            7200    IN      NS      <a href="http://dns102.comcast.net">dns102.comcast.net</a>.<br><a href="http://comcast.net">comcast.net</a>.            7200    IN      NS      <a href="http://dns105.comcast.net">dns105.comcast.net</a>.<br><a href="http://comcast.net">comcast.net</a>.            7200    IN      NS      <a href="http://dns104.comcast.net">dns104.comcast.net</a>.<br><a href="http://comcast.net">comcast.net</a>.            7200    IN      NS      <a href="http://dns103.comcast.net">dns103.comcast.net</a>.<br><a href="http://comcast.net">comcast.net</a>.            7200    IN      RRSIG   NS 5 2 7200 20210314144427 20210225143927 26550 <a href="http://comcast.net">comcast.net</a>. Iot8H7kR1FmShx00Z6FkuqoVTQbcvyILTIeehw8GBqYCF8bBn/yklka+ AOtj7S0qQwINc4BTYdbGPKYZyA0n7OmXWddsZfmVhsf7/6g3mx5x9Vfd BNhFk0fmudCERsvA3nmk8vyH7ngS46oHvT/zzLYgko2LxPZRBtq84Kxe peA=<br><br>;; Query time: 65 msec<br>;; SERVER: 9.9.9.9#53(9.9.9.9)<br>;; WHEN: Sat Feb 27 14:47:38 Central Standard Time 2021<br>;; MSG SIZE  rcvd: 316<br></div><div><br></div><div>Are there other inconsistencies about which I should be aware? The above seems to indicate they have DNSSEC validation intentionally disabled for our zone. That concerns me since we advertise DNSSEC secured authoritative zones and anyone using a DNSSEC validating recursive service would reasonably expect validated responses and failures enforced.</div><div><br></div><div>Thanks,</div><div><br></div><div>Scott Morizot</div><div><br></div></div>