[dns-operations] NTA for DE installed on 1.1.1.1 around an hour ago
Marco Davids (SIDN)
marco.davids at sidn.nl
Mon May 11 12:00:37 UTC 2026
Hi Carsten,
Op 11-05-2026 om 12:46 schreef Carsten Strotmann:
> My guess is that DeNIC did know early that the incident wasn't an attack, but that information was not communicated. A note on "status.denic.de" would have helped.
If this was indeed an attack, then any information published on
'status.denic.de' cannot be fully trusted.
But to me it was fairly clear that it was an operational issue, based on
signals we were already seeing come in at an early stage, from various
sources.
Speaking of trust: users place trust not only in DNSSEC, but also in the
resolver they choose to use. If you don't trust a resolver like
Cloudflare's to do the right thing, you may want to consider
alternatives or run your own resolver.
> Maybe it would help to have a technical/automated way to get a "NTA subscription", maybe as part of an extension to response policy zones (RPZ).
I'm not sure if that is the right way to go. What if such a 'centralised
service' gets compromised?
Lastly, I appreciate the policy and transparency of Quad9:
https://quad9.net/service/negative-trust-anchors/<https://quad9.net/service/negative-trust-anchors/>
They openly acknowledge that the risk of users leaving them is one of
their criteria, which makes total sense to me.
--
Marco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4678 bytes
Desc: S/MIME-cryptografische ondertekening
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20260511/bb27a07d/attachment.bin>
More information about the dns-operations
mailing list