Re: [dns-operations] NTA for DE installed on 1.1.1.1 around an hour ago

Sun, 10 May 2026 23:41:48 -0700

--- Begin Message --- 
Hello Joe,
Hello DNS-OARC people,

On 6 May 2026, at 1:16, Joe Abley via dns-operations wrote:

> In case it's useful to know, an NTA for the DE top-level domain was rolled 
> out on 1.1.1.1 at around 2026-05-05 22:20 UTC.
>
> We see well-signed responses from most (but not clearly all) DE authoritative 
> servers right now, but we plan to leave the NTA in place until we have had a 
> chance to coordinate with DENIC, in the interests of avoiding surprises.

I wonder how Cloudflare and others made the decision to activate a NTA during 
the incident.

During the incident, to me looking from the outside (without contact to DeNIC), 
there was no clear indication whether the DNSSEC issues seen in the "de."-zone 
were caused by attack or misconfiguration (or did I miss something?).

Prematurely activating a NTA in case of an attack on DNSSEC might cause harm 
for the internet at whole, esp. on a public DNS resolver used by a large 
percentage of Internet users.

It would be helpful if operators of important DNSSEC signed zones (Root, TLDs, 
important infrastructure providers like Google, Microsoft, Cloudflare ...) 
publish a statement online where they explain how they will communicate 
publicly in case of an DNSSEC incident, esp. how and where they will inform 
about the root-cause of the issue.

The operator of the failing DNSSEC signed zone is in the best spot to 
distinguish an attack from misconfiguration or misbehaving equipment. Once the 
operator of the failing DNSSEC secured namespace has ruled out an attack, this 
finding should be public as soon as possible to help people in the Internet to 
decide on activating a NTA.

A public communication channel would also lower the amount of people trying to 
reach the operator to get first hand information on the incident, needed to be 
able to decide on the activation of an NTA.

Maybe we need a central, trusted information hub for DNSSEC issue related 
information. ICANN? DNS-OARC? DNS-VIZ?

I have no answers, just the feeling that something is missing, and last week's 
incident has made it visible that the DNSSEC puzzle not complete.


Greetings

Carsten Strotmann

--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Reply via email to