[dns-operations] NTA for DE installed on 1.1.1.1 around an hour ago

Carsten Strotmann carsten at strotmann.de
Mon May 11 06:26:48 UTC 2026 

Hello Joe,
Hello DNS-OARC people,

On 6 May 2026, at 1:16, Joe Abley via dns-operations wrote:

> In case it's useful to know, an NTA for the DE top-level domain was rolled out on 1.1.1.1 at around 2026-05-05 22:20 UTC.
>
> We see well-signed responses from most (but not clearly all) DE authoritative servers right now, but we plan to leave the NTA in place until we have had a chance to coordinate with DENIC, in the interests of avoiding surprises.

I wonder how Cloudflare and others made the decision to activate a NTA during the incident.

During the incident, to me looking from the outside (without contact to DeNIC), there was no clear indication whether the DNSSEC issues seen in the "de."-zone were caused by attack or misconfiguration (or did I miss something?).

Prematurely activating a NTA in case of an attack on DNSSEC might cause harm for the internet at whole, esp. on a public DNS resolver used by a large percentage of Internet users.

It would be helpful if operators of important DNSSEC signed zones (Root, TLDs, important infrastructure providers like Google, Microsoft, Cloudflare ...) publish a statement online where they explain how they will communicate publicly in case of an DNSSEC incident, esp. how and where they will inform about the root-cause of the issue.

The operator of the failing DNSSEC signed zone is in the best spot to distinguish an attack from misconfiguration or misbehaving equipment. Once the operator of the failing DNSSEC secured namespace has ruled out an attack, this finding should be public as soon as possible to help people in the Internet to decide on activating a NTA.

A public communication channel would also lower the amount of people trying to reach the operator to get first hand information on the incident, needed to be able to decide on the activation of an NTA.

Maybe we need a central, trusted information hub for DNSSEC issue related information. ICANN? DNS-OARC? DNS-VIZ?

I have no answers, just the feeling that something is missing, and last week's incident has made it visible that the DNSSEC puzzle not complete.


Greetings

Carsten Strotmann

More information about the dns-operations mailing list