<div dir="ltr"><div dir="ltr">On Sun, Feb 28, 2021 at 2:44 AM Florian Weimer <<a href="mailto:fw@deneb.enyo.de">fw@deneb.enyo.de</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">* Winfried Angele:<br>
<br>
> I guess they've turned off validation for <a href="http://irs.gov" rel="noreferrer" target="_blank">irs.gov</a> because of a<br>
> former failure.<br>
<br>
I think it goes beyond that. It extends to GOV and MIL as a whole, it<br>
seems.<br><br></blockquote><div><br></div><div>Interesting. It didn't occur to me to check that. It appears you are correct.</div><div><br></div><div>Their website should certainly document that they have such a huge exception in place for two major US gTLDs in their DNSSEC validation implementation.</div><div><br></div><div>If it is documented somewhere, I couldn't find it.</div><div><br></div><div>C:\>dig @<a href="http://9.9.9.9">9.9.9.9</a> gov. ns +dnssec +adflag<br><br>; <<>> DiG 9.12.1-P2 <<>> @<a href="http://9.9.9.9">9.9.9.9</a> gov. ns +dnssec +adflag<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49356<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 512<br>;; QUESTION SECTION:<br>;gov. IN NS<br><br>;; ANSWER SECTION:<br>gov. 43200 IN NS <a href="http://a.gov-servers.net">a.gov-servers.net</a>.<br>gov. 43200 IN NS <a href="http://c.gov-servers.net">c.gov-servers.net</a>.<br>gov. 43200 IN NS <a href="http://b.gov-servers.net">b.gov-servers.net</a>.<br>gov. 43200 IN NS <a href="http://d.gov-servers.net">d.gov-servers.net</a>.<br>gov. 43200 IN RRSIG NS 8 1 172800 20210307111009 20210228111009 27306 gov. Hsn0bfePCVgL89MzbJLO+qWeVS8UyBhTsI8ZkiM0L3Bd4Ts94b5Lr+b6 1mmRBggNq60YNmNNr0T6pWYgiXvkHNFiMAkOWsWnBhF78bFhvZZzWUWU ajD3Jcwj9iYK2OiL+ee3Qk1U0iBIAcoAkB7xD8Ffk0wzzak3Ly/Q6M3s Y/cjCmsI5ts6KtCxZoE3vrqZVyRaqAVQdsyJDZx7HCsjig==<br><br>;; Query time: 57 msec<br>;; SERVER: 9.9.9.9#53(9.9.9.9)<br>;; WHEN: Sun Feb 28 06:39:33 Central Standard Time 2021<br>;; MSG SIZE rcvd: 306<br><br><br>C:\>dig @<a href="http://9.9.9.9">9.9.9.9</a> mil. ns +dnssec +adflag<br><br>; <<>> DiG 9.12.1-P2 <<>> @<a href="http://9.9.9.9">9.9.9.9</a> mil. ns +dnssec +adflag<br>; (1 server found)<br>;; global options: +cmd<br>;; Got answer:<br>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7742<br>;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1<br><br>;; OPT PSEUDOSECTION:<br>; EDNS: version: 0, flags: do; udp: 1232<br>;; QUESTION SECTION:<br>;mil. IN NS<br><br>;; ANSWER SECTION:<br>mil. 19475 IN NS <a href="http://CON2.NIPR.mil">CON2.NIPR.mil</a>.<br>mil. 19475 IN NS <a href="http://EUR1.NIPR.mil">EUR1.NIPR.mil</a>.<br>mil. 19475 IN NS <a href="http://PAC1.NIPR.mil">PAC1.NIPR.mil</a>.<br>mil. 19475 IN NS <a href="http://CON1.NIPR.mil">CON1.NIPR.mil</a>.<br>mil. 19475 IN NS <a href="http://PAC2.NIPR.mil">PAC2.NIPR.mil</a>.<br>mil. 19475 IN NS <a href="http://EUR2.NIPR.mil">EUR2.NIPR.mil</a>.<br>mil. 19475 IN RRSIG NS 8 1 21600 20210305172406 20210226172406 19128 mil. xgAGFEuR9fgkV3LFYwkVgES3PzZOJan/Rnxz3eK9UJIf87Hvr3b8/6G4 Wk8Bc+3amLOZYEt483hU3ONJKa+gY4Mb4i7jCc1otvyOxF0eCWMTLN6V 9ZBKK5sLJm5GSYblD+MWS5Ko6DiwbGhR6u4PatEzrXhUrLITiSjQjLJH 1rQ=<br><br>;; Query time: 59 msec<br>;; SERVER: 9.9.9.9#53(9.9.9.9)<br>;; WHEN: Sun Feb 28 06:39:43 Central Standard Time 2021<br>;; MSG SIZE rcvd: 314<br></div><div><br></div></div></div>