On Mon, Mar 1, 2021 at 2:21 AM Petr Špaček <[email protected]> wrote:
> In my experience negative trust anchors for big parts of MIL and/or GOV > are way more common, let's not pick specifically on Quad9. For periods > of time I have seen with other big resolver operators as well. > > That's an interesting assertion. Do you have any data to support it? I checked validation of our zone through all major providers whose nameservers I could access that advertise DNSSEC validation including my own personal, residential ISP. They all responded with the AD flag in queries for irs.gov. And they all returned SERVFAIL for queries for the test subzone I have had in place for a decade but did return a response for that test zone with the CD flag enabled. Quad9 is the only one I could find that advertises they perform DNSSEC validation in their public documentation for a service provided to the general public but who have silently and without notice disabled all such validation for the entire .gov and .mil gTLDs. If you know of another such public recursive DNS service doing the same, please share that. And it is the failure to provide any notice to the consumers of their service that I see as a problem. I did read the description of their service before I ever asked any questions about it. Had it included a notice that they disable DNSSEC validation for all of .gov and .mil I wouldn't have asked. I would have had my answer. It's the lack of transparency that's a problem. Scott
_______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
