[dns-operations] NTA for DE installed on 1.1.1.1 around an hour ago

Carsten Strotmann carsten at strotmann.de
Mon May 11 10:46:15 UTC 2026 

Hi Joe,

On 11 May 2026, at 8:38, Joe Abley wrote:

> I kind of agree with you that it would be nice to have a more objective way to make this decision. However, these kinds of operational mishaps are often the result of a failure in process or infrastructure; I don't know that it's reasonable to imagine that at a time of operational crisis we should expect other processes or infrastructure intended to provide a clear signal to be working or trustworthy.

Having a clear documentation of the situation from the operator of the domain would help. My guess is that DeNIC did know early that the incident wasn't an attack, but that information was not communicated. A note on "status.denic.de" would have helped.

> When it comes down to it, there's no substitute for a functional personal network that allows you to get current information from people you trust. This is the Internet's secret superpower.
>

I agree, but I also see that this superpower does not scale. We can't habe every  operator of a DNSSEC resolver having direct contact with every operator of a critical DNS zone.

I see quite a number of instructions now on how to configure an NTA. But these videos/blog-posts/social media messages don't discuss the implications of activating a NTA prematurely without proper information about the incident. My concern is this will weaken the trust in DNSSEC.

The average admin of a DNS resolver will be overwhelmed with the decision on the "if" and "when" to activate a NTA.

Maybe it would help to have a technical/automated way to get a "NTA subscription", maybe as part of an extension to response policy zones (RPZ).

The curators of response policy zones already make security devisions for their customers/consumers. A separate RPZ feed of NTA information would lower the risk that NTAs will linger indefinitely inside the DNS resolvers configuration.

> We have a nice opportunity to talk more about this coming up in Edinburgh.

I would welcome a discussion at DNS-OARC in Edinburgh, unfortunately I can only make it to the RIPE meeting starting on Monday and will miss DNS-OARC.

Greetings

Carsten

More information about the dns-operations mailing list