--- Begin Message ---
Hi Carsten,
Some Cloudflare DNS people wrote a nice blog that included some mention of the
decision-making process:
https://blog.cloudflare.com/de-tld-outage-dnssec/
We were guided by informal contact with people we knew at DENIC, the
interpretation of visible signals shared by other people in the DNS-OARC
community through this mailing list and Mattermost, and the guidance in RFC
7646. The decision to deploy an NTA was not taken lightly, and involved
briefing of and buy-in from some senior executives. The core question was, as
you say, whether the DNSSEC validation failures we were seeing on 1.1.1.1 were
a result of an operational accident at DENIC, or whether they were an
indication of an attack, the implications of which DNSSEC would more properly
defend.
I kind of agree with you that it would be nice to have a more objective way to
make this decision. However, these kinds of operational mishaps are often the
result of a failure in process or infrastructure; I don't know that it's
reasonable to imagine that at a time of operational crisis we should expect
other processes or infrastructure intended to provide a clear signal to be
working or trustworthy. When it comes down to it, there's no substitute for a
functional personal network that allows you to get current information from
people you trust. This is the Internet's secret superpower.
We have a nice opportunity to talk more about this coming up in Edinburgh.
Joe
> On 11 May 2026, at 08:27, Carsten Strotmann <[email protected]> wrote:
>
> Hello Joe,
> Hello DNS-OARC people,
>
>> On 6 May 2026, at 1:16, Joe Abley via dns-operations wrote:
>>
>> In case it's useful to know, an NTA for the DE top-level domain was rolled
>> out on 1.1.1.1 at around 2026-05-05 22:20 UTC.
>>
>> We see well-signed responses from most (but not clearly all) DE
>> authoritative servers right now, but we plan to leave the NTA in place until
>> we have had a chance to coordinate with DENIC, in the interests of avoiding
>> surprises.
>
> I wonder how Cloudflare and others made the decision to activate a NTA during
> the incident.
>
> During the incident, to me looking from the outside (without contact to
> DeNIC), there was no clear indication whether the DNSSEC issues seen in the
> "de."-zone were caused by attack or misconfiguration (or did I miss
> something?).
>
> Prematurely activating a NTA in case of an attack on DNSSEC might cause harm
> for the internet at whole, esp. on a public DNS resolver used by a large
> percentage of Internet users.
>
> It would be helpful if operators of important DNSSEC signed zones (Root,
> TLDs, important infrastructure providers like Google, Microsoft, Cloudflare
> ...) publish a statement online where they explain how they will communicate
> publicly in case of an DNSSEC incident, esp. how and where they will inform
> about the root-cause of the issue.
>
> The operator of the failing DNSSEC signed zone is in the best spot to
> distinguish an attack from misconfiguration or misbehaving equipment. Once
> the operator of the failing DNSSEC secured namespace has ruled out an attack,
> this finding should be public as soon as possible to help people in the
> Internet to decide on activating a NTA.
>
> A public communication channel would also lower the amount of people trying
> to reach the operator to get first hand information on the incident, needed
> to be able to decide on the activation of an NTA.
>
> Maybe we need a central, trusted information hub for DNSSEC issue related
> information. ICANN? DNS-OARC? DNS-VIZ?
>
> I have no answers, just the feeling that something is missing, and last
> week's incident has made it visible that the DNSSEC puzzle not complete.
>
>
> Greetings
>
> Carsten Strotmann
>
>
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
