<html class="apple-mail-supports-explicit-dark-mode"><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">(Replying to the tweet, not your comment Mark) </div><div dir="ltr"><br></div><div dir="ltr">Cloudflare didn't temporarily disable all DNSSEC validation on 1.1.1.1 during the signing problems experienced by DENIC. We only stopped validating responses in the DE domain, and only for the duration of the incident. We were following common practice, e.g. as described in RFC 7646.</div><div dir="ltr"><br></div><div dir="ltr">It is not the considered opinion of Cloudflare that "DNSSEC is done". Cloudflare continues to support DNSSEC as a first class protocol extension and tries hard to make it easy for our customers to use it.</div><div dir="ltr"><br></div><div dir="ltr">For more see Sebastiaan, Christian and Max's recent blog post:</div><div dir="ltr"><br></div><div dir="ltr"><a href="https://blog.cloudflare.com/de-tld-outage-dnssec/">https://blog.cloudflare.com/de-tld-outage-dnssec/</a></div><div dir="ltr"><br></div><div dir="ltr"><blockquote type="cite">On 7 May 2026, at 18:54, Mark E Jeftovic <markjr@easydns.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><meta http-equiv="content-type" content="text/html; charset=utf-8">It’s looking like a bad DNSSEC rollover <div><br></div><div><div style="display: block;" class=""><div style="-webkit-user-select: all; -webkit-user-drag: element; display: inline-block;" class="apple-rich-link" draggable="true" role="link" data-url="https://x.com/tqbf/status/2051802131636592846?s=46"><a style="border-radius:10px;font-family:-apple-system, Helvetica, Arial, sans-serif;display:block;-webkit-user-select:none;width:300px;user-select:none;-webkit-user-modify:read-only;user-modify:read-only;overflow:hidden;text-decoration:none;" class="lp-rich-link" rel="nofollow" href="https://x.com/tqbf/status/2051802131636592846?s=46" dir="ltr" role="button" draggable="false" width="300"><table style="table-layout:fixed;border-collapse:collapse;width:300px;background-color:#EBF7FF;font-family:-apple-system, Helvetica, Arial, sans-serif;" class="lp-rich-link-emailBaseTable" cellpadding="0" cellspacing="0" border="0" width="300"><tbody><tr><td vertical-align="center" align="center"><div><HHl28MgXIAU9bIS.jpg></div></td></tr><tr><td vertical-align="center"><div style="margin:10px 16px 0px 16px;color:#000000;font-weight:300;text-align:left;width:268px;font-size:11pt;word-wrap:break-word;overflow:hidden;" class="lp-rich-link-quotedText">Stick a fork in it. DNSSEC is done. The largest Internet DNS provider doesn't "temporarily disable" core Internet security functionality. Cloudflare agrees with me: DNSSEC isn't that.</div></td></tr><tr><td vertical-align="center"><table bgcolor="#EBF7FF" cellpadding="0" cellspacing="0" width="300" style="table-layout:fixed;font-family:-apple-system, Helvetica, Arial, sans-serif;background-color:rgba(235, 247, 255, 1);" class="lp-rich-link-captionBar"><tbody><tr><td style="padding:6px 0px 6px 16px;" class="lp-rich-link-captionBar-leftIconItem" width="25"><a rel="nofollow" href="https://x.com/tqbf/status/2051802131636592846?s=46" draggable="false"><img src="https://pbs.twimg.com/profile_images/1440053758084272132/dF6N7UBk_200x200.jpg" srcset="https://pbs.twimg.com/profile_images/1440053758084272132/dF6N7UBk_200x200.jpg 1x" draggable="false" style="pointer-events:none !important;display:inline-block;width:25px;height:25px;border-radius:3px;" class="lp-rich-link-captionBar-leftIcon" width="25" height="25" data-unique-identifier=""></a></td><td style="padding:8px 0px 8px 0px;" class="lp-rich-link-captionBar-textStackItem"><div style="max-width:100%;margin:0px 16px 0px 10px;overflow:hidden;" class="lp-rich-link-captionBar-textStack"><div style="word-wrap:break-word;font-weight:500;font-size:12px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-topCaption-leading"><a rel="nofollow" href="https://x.com/tqbf/status/2051802131636592846?s=46" style="text-decoration: none" draggable="false"><font color="#000000" style="color: rgba(0, 0, 0, 1);">Thomas H. Ptacek (@tqbf)
226 likes · 12 replies</font></a></div><div style="word-wrap:break-word;font-weight:400;font-size:11px;overflow:hidden;text-overflow:ellipsis;text-align:left;" class="lp-rich-link-captionBar-textStack-bottomCaption-leading"><a rel="nofollow" href="https://x.com/tqbf/status/2051802131636592846?s=46" style="text-decoration: none" draggable="false"><font color="#A2A2A9" style="color: rgba(60, 60, 67, 0.6);">x.com</font></a></div></div></td></tr></tbody></table></td></tr></tbody></table></a></div></div><br id="lineBreakAtBeginningOfSignature"><div dir="ltr"><br></div></div></div></blockquote></body></html>