--- Begin Message ---
(Replying to the tweet, not your comment Mark)
Cloudflare didn't temporarily disable all DNSSEC validation on 1.1.1.1 during the signing problems experienced by DENIC. We only stopped validating responses in the DE domain, and only for the duration of the incident. We were following common practice, e.g. as described in RFC 7646.
It is not the considered opinion of Cloudflare that "DNSSEC is done". Cloudflare continues to support DNSSEC as a first class protocol extension and tries hard to make it easy for our customers to use it.
For more see Sebastiaan, Christian and Max's recent blog post:
It’s looking like a bad DNSSEC rollover
<HHl28MgXIAU9bIS.jpg> | Stick a fork in it. DNSSEC is done. The largest Internet DNS provider doesn't "temporarily disable" core Internet security functionality. Cloudflare agrees with me: DNSSEC isn't that. | |
|
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
