TLDR: Google Public DNS would, until 23 February, not check that the ZSK (signing key used to sign DNSSEC DNS responses) was in turn signed by the KSK. Google would accept any signed response, by any ZSK. Even worse, they would cache this response, and present it to end users as being non-DNSSEC signed.<p>Upon further testing, only Google was found to have had this problem.
Very cool to see a SIDN labs post here. SIDN operates the .nl extension and puts the money earned into these kinds of research projects that benefit everyone.
> For reporting this bug, we received $5,000 from Google's bug bounty programme.<p>Excuse me?<p>That's quite an urgent and serious bug and I'm afraid that is too low, especially from a $1TN dollar company with billions of users.