On Mon, Sep 08, 2025 at 03:56:52PM +0200, Michel Le Bihan wrote: > While DNSSEC adoption is strong in some ccTLDs, two issues prevent it from > being a complete solution: > > 1. > > *TLD limitations*: Some TLDs don't support DNSSEC at all (e.g., .im, > popular for XMPP services). Organizations using these domains cannot > deploy DNSSEC regardless of how motivated they are. For XMPP, > changing domains isn't feasible since they're part of user > identifiers ([email protected]).
The ".im" situation is not a permanent situation, the number of unsigned ccTLDs continues to shrink. Registrants actively seeking DNSSEC support should eventually yield results. Any standards work initiated today will take quite some time to see broad deployment. > 2. > > *Infrastructure breakage*: Some DNS forwarders, particularly home > routers, truncate responses and lack EDNS support (see Table 2, p. > 583: https://www.usenix.org/system/files/sec20-zheng.pdf). This > breaks DNSSEC validation even for domains that properly support it. Users can opt for non-broken DNS services, such as the unfiltered IPv4 public servers of: - Cloudflare: one.one.one.one. A 1.1.1.1 one.one.one.one. A 1.0.0.1 one.one.one.one. AAAA 2606:4700:4700::1111 one.one.one.one. AAAA 2606:4700:4700::1001 - Google: dns.google. A 8.8.8.8 dns.google. A 8.8.4.4 dns.google. AAAA 2001:4860:4860::8888 dns.google. AAAA 2001:4860:4860::8844 - Quad9: dns10.quad9.net. A 9.9.9.10 dns10.quad9.net. A 149.112.112.10 dns10.quad9.net. AAAA 2620:fe::10 dns10.quad9.net. AAAA 2620:fe::fe:10 or, if preferred, the filtered versions. -- Viktor. 🇺🇦 Слава Україні! _______________________________________________ Uta mailing list -- [email protected] To unsubscribe send an email to [email protected]
