On 01.03.21 09:12, Petr Špaček wrote:
On 28. 02. 21 9:39, Florian Weimer wrote:
* Winfried Angele:
I guess they've turned off validation for irs.gov because of a
former failure.
I think it goes beyond that. It extends to GOV and MIL as a whole, it
seems.
In my experience negative trust anchors for big parts of MIL and/or GOV
are way more common, let's not pick specifically on Quad9. For periods
of time I have seen with other big resolver operators as well.
IMHO resolver market economics are going against DNSSEC security. If
resolution does not work on one operator people routinely switch to
other where it "works", either because they do not validate at all, or
because their ops team already added negative trust anchor.
The only way to fix this is mutual agreement among operators to stop
working around someone else's mistakes.
Are there operators willing to participate in such effort?
From our experience, it is very rare that a workaround is really
necessary. In such cases we try to inform the responsible persons with a
few mails. This is often successful and the workaround can be quickly
removed. I agree for cases where the responsible persons don't
care/don't respond.
Winfried Angele, DT
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
