--- Begin Message ---
Hi Carsten,
Op 11-05-2026 om 12:46 schreef Carsten Strotmann:
My guess is that DeNIC did know early that the incident wasn't an attack, but that
information was not communicated. A note on "status.denic.de" would have helped.
If this was indeed an attack, then any information published on
'status.denic.de' cannot be fully trusted.
But to me it was fairly clear that it was an operational issue, based on
signals we were already seeing come in at an early stage, from various
sources.
Speaking of trust: users place trust not only in DNSSEC, but also in the
resolver they choose to use. If you don't trust a resolver like
Cloudflare's to do the right thing, you may want to consider
alternatives or run your own resolver.
Maybe it would help to have a technical/automated way to get a "NTA
subscription", maybe as part of an extension to response policy zones (RPZ).
I'm not sure if that is the right way to go. What if such a 'centralised
service' gets compromised?
Lastly, I appreciate the policy and transparency of Quad9:
https://quad9.net/service/negative-trust-anchors/<https://quad9.net/service/negative-trust-anchors/>
They openly acknowledge that the risk of users leaving them is one of
their criteria, which makes total sense to me.
--
Marco
smime.p7s
Description: S/MIME-cryptografische ondertekening
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
