[dns-operations] NTA for DE installed on 1.1.1.1 around an hour ago

Mon May 11 06:38:30 UTC 2026

Hi Carsten,

Some Cloudflare DNS people wrote a nice blog that included some mention of the decision-making process:

https://blog.cloudflare.com/de-tld-outage-dnssec/  

We were guided by informal contact with people we knew at DENIC, the interpretation of visible signals shared by other people in the DNS-OARC community through this mailing list and Mattermost, and the guidance in RFC 7646. The decision to deploy an NTA was not taken lightly, and involved briefing of and buy-in from some senior executives. The core question was, as you say, whether the DNSSEC validation failures we were seeing on 1.1.1.1 were a result of an operational accident at DENIC, or whether they were an indication of an attack, the implications of which DNSSEC would more properly defend.

I kind of agree with you that it would be nice to have a more objective way to make this decision. However, these kinds of operational mishaps are often the result of a failure in process or infrastructure; I don't know that it's reasonable to imagine that at a time of operational crisis we should expect other processes or infrastructure intended to provide a clear signal to be working or trustworthy. When it comes down to it, there's no substitute for a functional personal network that allows you to get current information from people you trust. This is the Internet's secret superpower.

We have a nice opportunity to talk more about this coming up in Edinburgh.

Joe

> On 11 May 2026, at 08:27, Carsten Strotmann <carsten at strotmann.de> wrote:
> 
> Hello Joe,
> Hello DNS-OARC people,
> 
>> On 6 May 2026, at 1:16, Joe Abley via dns-operations wrote:
>> 
>> In case it's useful to know, an NTA for the DE top-level domain was rolled out on 1.1.1.1 at around 2026-05-05 22:20 UTC.
>> 
>> We see well-signed responses from most (but not clearly all) DE authoritative servers right now, but we plan to leave the NTA in place until we have had a chance to coordinate with DENIC, in the interests of avoiding surprises.
> 
> I wonder how Cloudflare and others made the decision to activate a NTA during the incident.
> 
> During the incident, to me looking from the outside (without contact to DeNIC), there was no clear indication whether the DNSSEC issues seen in the "de."-zone were caused by attack or misconfiguration (or did I miss something?).
> 
> Prematurely activating a NTA in case of an attack on DNSSEC might cause harm for the internet at whole, esp. on a public DNS resolver used by a large percentage of Internet users.
> 
> It would be helpful if operators of important DNSSEC signed zones (Root, TLDs, important infrastructure providers like Google, Microsoft, Cloudflare ...) publish a statement online where they explain how they will communicate publicly in case of an DNSSEC incident, esp. how and where they will inform about the root-cause of the issue.
> 
> The operator of the failing DNSSEC signed zone is in the best spot to distinguish an attack from misconfiguration or misbehaving equipment. Once the operator of the failing DNSSEC secured namespace has ruled out an attack, this finding should be public as soon as possible to help people in the Internet to decide on activating a NTA.
> 
> A public communication channel would also lower the amount of people trying to reach the operator to get first hand information on the incident, needed to be able to decide on the activation of an NTA.
> 
> Maybe we need a central, trusted information hub for DNSSEC issue related information. ICANN? DNS-OARC? DNS-VIZ?
> 
> I have no answers, just the feeling that something is missing, and last week's incident has made it visible that the DNSSEC puzzle not complete.
> 
> 
> Greetings
> 
> Carsten Strotmann
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20260511/ae32e06c/attachment.html>