[dns-operations] NTA for DE installed on 1.1.1.1 around an hour ago

[Joe Abley]

Hi Marco,

On 11 May 2026, at 14:00, Marco Davids (SIDN) via dns-operations <dns-operations at dns-oarc.net> wrote:

> Op 11-05-2026 om 12:46 schreef Carsten Strotmann:
> 
>> My guess is that DeNIC did know early that the incident wasn't an attack, but that information was not communicated. A note on "status.denic.de" would have helped.
> 
> If this was indeed an attack, then any information published on 'status.denic.de' cannot be fully trusted.

This had crossed my mind, too. Not to mention it would have been handy in this instance if using the status page didn't depend on signatures that were not possible to validate.

Note also that the decision to deploy an NTA depends on your own perspective. I did not hear anybody at DENIC saying that they advised anybody to deploy an NTA, for example. The decision tree is no doubt different for them than it is for 1.1.1.1 (and it might well be different for other resolver operators).

> But to me it was fairly clear that it was an operational issue, based on signals we were already seeing come in at an early stage, from various sources.
> 
> Speaking of trust: users place trust not only in DNSSEC, but also in the resolver they choose to use. If you don't trust a resolver like Cloudflare's to do the right thing, you may want to consider alternatives or run your own resolver.

I think the interesting question for us is how do we make good decisions with 1.1.1.1 that are compatible with the expectations of our users. This will always be subjective since our user population is anonymous and we don't have obvious ways of asking them.

Carsten, you mentioned that human trust networks seem unlikely to scale when it comes to this kind of need. I'm not sure that's completely true. You can gain a useful heuristic about questions like "is this an operational problem at a registry or is it an attack" by gauging consensus amongst contacts you do have, trusting that their network is usefully different to yours. This is six degrees of separation applied to a significantly smaller set of humans than "the 7 billion people alive on Earth today".


Joe