Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tom1337 4 hours ago

Cloudflare has now disabled DNSSEC validation on their 1.1.1.1 resolver: https://www.cloudflarestatus.com/incidents/vjrk8c8w37lz

tptacek 3 hours ago | parent | next [-]

Welp. I think can call it on DNSSEC now.

thayne an hour ago | parent | next [-]

Probably the most common reason to use DNSSEC is to check a box on a list of compliance rules. And I don't think this will change anything for people who need DNSSEC for compliance.

amluto 3 hours ago | parent | prev [-]

Hahaha. You wish :-p

tptacek 3 hours ago | parent [-]

It's a pretty hard argument to work around: WebPKI certificates should go in the DNS, and also the largest DNS providers might at any moment decide not to validate DNSSEC anymore to get through an outage.

cluckindan 3 hours ago | parent | prev [-]

If it turns out the DNSSEC issue was caused by threat actors, this downstream effect could very well have been the reason to do it.

amluto 3 hours ago | parent [-]

It is indeed a bit sad that Cloudflare had to turn off DNSSEC completely. But I completely understand that they don't have a production-ready, tested path to override DNSSEC validation for only some domains.

vendemiat 3 hours ago | parent | next [-]

Sorry! status message was not clear. DNSSEC validation is temporarily disabled only for .de domains.

tptacek 2 hours ago | parent [-]

That's not much better!

fastest963 2 hours ago | parent | prev [-]

[flagged]

jonah-archive an hour ago | parent | next [-]

Originally it said:

---

The issue has been identified as a DNSSEC signing problem at DENIC, the organization responsible for the .DE top-level domain. Cloudflare has temporarily disabled DNSSEC validation on 1.1.1.1 resolver in order to allow .DE names to continue to resolve. DNSSEC validation will be re-enabled when the signing problems at DENIC are known to have been resolved.

---

(and in case it changes again, now it says)

---

The issue has been identified as a DNSSEC signing problem at DENIC, the organization responsible for the .DE top-level domain. Cloudflare has temporarily disabled DNSSEC validation for .de domains on 1.1.1.1 resolver (as per RFC 7646) in order to allow .DE names to continue to resolve. DNSSEC validation will be re-enabled when the signing problems at DENIC are known to have been resolved.

See RFC 7646 for more details: https://datatracker.ietf.org/doc/html/rfc7646

---

tptacek an hour ago | parent [-]

The RFC 7646 thing here is the funniest possible addition. This is the greatest day.

tptacek 2 hours ago | parent | prev [-]

It didn't originally say that. They added the clarification just a few minutes ago. The guidelines ask you not to ask people these kinds of questions, for what it's worth.