Sparklight and DNSSEC
Philip Prindeville
philipp_subx at redfish-solutions.com
Mon Sep 26 18:07:31 UTC 2022
> On Sep 24, 2022, at 3:20 AM, Bjørn Mork <bjorn at mork.no> wrote:
>
> Philip Prindeville <philipp_subx at redfish-solutions.com> writes:
>
>> How many ISP's squelch DNSSEC like that? I hope it's not a common practice!
>
> More common than you'd like to think. See Geoff's excellent world map
> at https://stats.labs.apnic.net/dnssec
>
> Note that no validation implies no signatures for downstream resolvers.
> Which makes the non-validating resolvers useless in a forwarder
> statements, like you discovered. And useless in many other situations
> as well. You can't do DANE for example.
>
> FWIW, we (as in Telenor Norway) enabled validation in 2015, along with
> most of the other major Norwegian ISPs, after being educated with a
> sufficiently powerful LART by the local domain registry (NORID). They
> invited all the local resolver operators for a workshop in May 2015,
> focusing on the importance of validation. This is the primary reason
> Norway is green on that map..
>
> I must admit I was a bit worried in the beginning. But we've had
> surprisingly few problems. And no major issues AFAIR.
>
> There's really no reason to avoid dnssec-validation in 2022. Just go
> poke your ISP if they've disabled it.
>
>
> Bjørn
> --
So... was 2019 the year that Netflix had no Norwegian viewers? ;-)
Nice job Saudi Arabia, BTW... 2nd highest rank after SJ which doesn't really count.
-Philip
More information about the bind-users
mailing list