--- Begin Message ---
Hi Marco,
On 11 May 2026, at 14:00, Marco Davids (SIDN) via dns-operations
<[email protected]> wrote:
> Op 11-05-2026 om 12:46 schreef Carsten Strotmann:
>
>> My guess is that DeNIC did know early that the incident wasn't an attack,
>> but that information was not communicated. A note on "status.denic.de" would
>> have helped.
>
> If this was indeed an attack, then any information published on
> 'status.denic.de' cannot be fully trusted.
This had crossed my mind, too. Not to mention it would have been handy in this
instance if using the status page didn't depend on signatures that were not
possible to validate.
Note also that the decision to deploy an NTA depends on your own perspective. I
did not hear anybody at DENIC saying that they advised anybody to deploy an
NTA, for example. The decision tree is no doubt different for them than it is
for 1.1.1.1 (and it might well be different for other resolver operators).
> But to me it was fairly clear that it was an operational issue, based on
> signals we were already seeing come in at an early stage, from various
> sources.
>
> Speaking of trust: users place trust not only in DNSSEC, but also in the
> resolver they choose to use. If you don't trust a resolver like Cloudflare's
> to do the right thing, you may want to consider alternatives or run your own
> resolver.
I think the interesting question for us is how do we make good decisions with
1.1.1.1 that are compatible with the expectations of our users. This will
always be subjective since our user population is anonymous and we don't have
obvious ways of asking them.
Carsten, you mentioned that human trust networks seem unlikely to scale when it
comes to this kind of need. I'm not sure that's completely true. You can gain a
useful heuristic about questions like "is this an operational problem at a
registry or is it an attack" by gauging consensus amongst contacts you do have,
trusting that their network is usefully different to yours. This is six degrees
of separation applied to a significantly smaller set of humans than "the 7
billion people alive on Earth today".
Joe
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
