--- Begin Message ---
Hi Joe,
On 11 May 2026, at 8:38, Joe Abley wrote:
> I kind of agree with you that it would be nice to have a more objective way
> to make this decision. However, these kinds of operational mishaps are often
> the result of a failure in process or infrastructure; I don't know that it's
> reasonable to imagine that at a time of operational crisis we should expect
> other processes or infrastructure intended to provide a clear signal to be
> working or trustworthy.
Having a clear documentation of the situation from the operator of the domain
would help. My guess is that DeNIC did know early that the incident wasn't an
attack, but that information was not communicated. A note on "status.denic.de"
would have helped.
> When it comes down to it, there's no substitute for a functional personal
> network that allows you to get current information from people you trust.
> This is the Internet's secret superpower.
>
I agree, but I also see that this superpower does not scale. We can't habe
every operator of a DNSSEC resolver having direct contact with every operator
of a critical DNS zone.
I see quite a number of instructions now on how to configure an NTA. But these
videos/blog-posts/social media messages don't discuss the implications of
activating a NTA prematurely without proper information about the incident. My
concern is this will weaken the trust in DNSSEC.
The average admin of a DNS resolver will be overwhelmed with the decision on
the "if" and "when" to activate a NTA.
Maybe it would help to have a technical/automated way to get a "NTA
subscription", maybe as part of an extension to response policy zones (RPZ).
The curators of response policy zones already make security devisions for their
customers/consumers. A separate RPZ feed of NTA information would lower the
risk that NTAs will linger indefinitely inside the DNS resolvers configuration.
> We have a nice opportunity to talk more about this coming up in Edinburgh.
I would welcome a discussion at DNS-OARC in Edinburgh, unfortunately I can only
make it to the RIPE meeting starting on Monday and will miss DNS-OARC.
Greetings
Carsten
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
