> On Mar 1, 2021, at 9:12 AM, Petr Špaček <[email protected]> wrote: > In my experience negative trust anchors for big parts of MIL and/or GOV are > way more common, let's not pick specifically on Quad9. For periods of time I > have seen with other big resolver operators as well. > IMHO resolver market economics are going against DNSSEC security. If > resolution does not work on one operator people routinely switch to other > where it "works", either because they do not validate at all, or because > their ops team already added negative trust anchor. > The only way to fix this is mutual agreement among operators to stop working > around someone else's mistakes.
Yep, exactly.
> Are there operators willing to participate in such effort?
We’ve been pushing for it for several years without gaining traction yet. We’d
very much like others to come to the table.
I spent a bunch of time talking with John Todd, our General Manager, about this
last night, and he’s writing up a more official Quad9 response to this thread.
-Bill
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
