<div dir="ltr"><div dir="ltr">On Mon, Mar 1, 2021 at 2:21 AM Petr Špaček <<a href="mailto:pspacek@isc.org">pspacek@isc.org</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">In my experience negative trust anchors for big parts of MIL and/or GOV <br>
are way more common, let's not pick specifically on Quad9. For periods <br>
of time I have seen with other big resolver operators as well.<br><br></blockquote><div><br></div><div>That's an interesting assertion. Do you have any data to support it? I checked validation of our zone through all major providers whose nameservers I could access that advertise DNSSEC validation including my own personal, residential ISP. They all responded with the AD flag in queries for <a href="http://irs.gov">irs.gov</a>. And they all returned SERVFAIL for queries for the test subzone I have had in place for a decade but did return a response for that test zone with the CD flag enabled. Quad9 is the only one I could find that advertises they perform DNSSEC validation in their public documentation for a service provided to the general public but who have silently and without notice disabled all such validation for the entire .gov and .mil gTLDs.</div><div><br></div><div>If you know of another such public recursive DNS service doing the same, please share that.</div><div><br></div><div>And it is the failure to provide any notice to the consumers of their service that I see as a problem. I did read the description of their service before I ever asked any questions about it. Had it included a notice that they disable DNSSEC validation for all of .gov and .mil I wouldn't have asked. I would have had my answer. It's the lack of transparency that's a problem.</div><div><br></div><div>Scott</div></div></div>