Sparklight and DNSSEC
Bjørn Mork
bjorn at mork.no
Sat Sep 24 09:20:39 UTC 2022
Philip Prindeville <philipp_subx at redfish-solutions.com> writes:
> How many ISP's squelch DNSSEC like that? I hope it's not a common practice!
More common than you'd like to think. See Geoff's excellent world map
at https://stats.labs.apnic.net/dnssec
Note that no validation implies no signatures for downstream resolvers.
Which makes the non-validating resolvers useless in a forwarder
statements, like you discovered. And useless in many other situations
as well. You can't do DANE for example.
FWIW, we (as in Telenor Norway) enabled validation in 2015, along with
most of the other major Norwegian ISPs, after being educated with a
sufficiently powerful LART by the local domain registry (NORID). They
invited all the local resolver operators for a workshop in May 2015,
focusing on the importance of validation. This is the primary reason
Norway is green on that map..
I must admit I was a bit worried in the beginning. But we've had
surprisingly few problems. And no major issues AFAIR.
There's really no reason to avoid dnssec-validation in 2022. Just go
poke your ISP if they've disabled it.
Bjørn
More information about the bind-users
mailing list