<div dir="ltr"><div dir="ltr">On Sun, Feb 28, 2021 at 1:59 AM Winfried Angele <<a href="mailto:abang@t-ipnet.net">abang@t-ipnet.net</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">>Resolution fails as expected on our recursive infrastructure.<br>
>Resolution<br>
>fails through my personal Internet ISP's recursive nameservers<br>
>(Suddenlink)<br>
>which are also validating. And 8.8.8.8 and 1.1.1.1 return the expected<br>
>SERVFAIL. But 9.9.9.9 does not.<br>
<br>
I guess they've turned off validation for <a href="http://irs.gov" rel="noreferrer" target="_blank">irs.gov</a> because of a former failure. Maybe this one? <a href="https://dnsviz.net/d/irs.gov/XqOruQ/dnssec/?no_js=1" rel="noreferrer" target="_blank">https://dnsviz.net/d/irs.gov/XqOruQ/dnssec/?no_js=1</a><br><br></blockquote><div><br></div><div>Yes, that failure was a big deal to us when it happened last spring. There were a number of factors that led to it, some of them pandemic related, and it created a major disruption across our enterprise network, not just for Internet users. It was also a relatively pretty brief interruption in the night in the US. The history of it in DNSViz is mostly from me working on the problem. And it was resolved in a few hours.</div><div><br></div><div><a href="https://dnsviz.net/d/irs.gov/XqPUOQ/dnssec/?no_js=1">https://dnsviz.net/d/irs.gov/XqPUOQ/dnssec/?no_js=1</a><br></div><div><br></div><div>At the IRS, we have DNSSEC validation enabled throughout our recursive infrastructure and most of our internal DNS is also signed. If anything fails in our infrastructure and signing, it impacts 100% of our employees as well as the roughly one third of client queries in the US that originate exclusively from behind DNSSEC validating recursive nameservers.</div><div><br></div><div><a href="https://stats.labs.apnic.net/dnssec/US">https://stats.labs.apnic.net/dnssec/US</a><br></div><div><br></div><div>Nobody contacted us. There is no reason to rush to put in a negative trust anchor that quickly absent some sort of public outcry, which did not occur. And there is certainly no reason for it to still be in place almost a year later.</div><div><br></div><div>Scott</div></div></div>