Philip Prindeville <philipp_s...@redfish-solutions.com> writes: > How many ISP's squelch DNSSEC like that? I hope it's not a common practice!
More common than you'd like to think. See Geoff's excellent world map at https://stats.labs.apnic.net/dnssec Note that no validation implies no signatures for downstream resolvers. Which makes the non-validating resolvers useless in a forwarder statements, like you discovered. And useless in many other situations as well. You can't do DANE for example. FWIW, we (as in Telenor Norway) enabled validation in 2015, along with most of the other major Norwegian ISPs, after being educated with a sufficiently powerful LART by the local domain registry (NORID). They invited all the local resolver operators for a workshop in May 2015, focusing on the importance of validation. This is the primary reason Norway is green on that map.. I must admit I was a bit worried in the beginning. But we've had surprisingly few problems. And no major issues AFAIR. There's really no reason to avoid dnssec-validation in 2022. Just go poke your ISP if they've disabled it. Bjørn -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
