en

IPv4

  • 9.9.9.9
  • 149.112.112.112

    • IPv6

  • 2620:fe::fe
  • 2620:fe::9
    • More options

    Negative Trust Anchors

    Quad9 believes that DNSSEC is required for a secure DNS and will only implement Negative Trust Anchors (NTAs) for the shortest time possible when it believes the greater harm would come from taking no action.

    Summary

    NTA exception rules manually inserted into recursive resolvers to bypass DNSSEC for a host or domain remove the integrity validation guarantees for that domain tree. NTAs are intended to be temporary workarounds for configuration mishaps, but they are sometimes used when a network path has difficulty passing DNSSEC records or when bugs are encountered in operational settings that cause failures for a small set of domains. 

    We believe NTAs are dangerous and often lead to more longer-term problems than they solve in the short term. Quad9’s intention is to let any records in a zone that is “broken” from a DNSSEC perspective remain unresolvable in order to encourage authoritative operators to repair the problem with the non-functional zone. If we or other recursive resolver operators continue to insert long-term NTA exceptions in our respective systems, this will cause the operator of the faulty authoritative zone to receive contradictory information about the status of their DNSSEC configuration from various recursive resolvers which may or may not have identical NTA settings. 

    We hope that other providers join us in eliminating or significantly reducing their NTA lists and making those lists public as we have done on this page.

    You can read more about the history and Quad9’s position in our blog at: https://quad9.net/news/blog/dnssec-ntas-no-good-compromises/

    NTA Addition Criteria

    Quad9 will in very limited circumstances apply the following criteria when deciding to add an NTA: 

    1. If we receive significant customer complaints about a faulty DNSSEC-signed zone, AND
    2. If we believe this will lead to a significant number of customers leaving the Quad9 platform if the domain does not resolve, AND
    3. If we believe the zone in question is simply faulty instead of compromised, 

    then we MAY consider adding an NTA for that zone or parent zone. Meeting these criteria does not always mean an NTA will be added, but these are our minimal requirements.

    There are additional criteria we would evaluate further which may prevent the addition of the NTA, and an NTA exception is to be considered as the last option to prevent user migration in large numbers.

    You can access the Quad9 list of NTAs here: https://quad9.net/api/ntas.txt