If it turns out the DNSSEC issue was caused by threat actors, this downstream effect could very well have been the reason to do it.

▲

amluto 3 hours ago | parent [-]

It is indeed a bit sad that Cloudflare had to turn off DNSSEC completely. But I completely understand that they don't have a production-ready, tested path to override DNSSEC validation for only some domains.

▲

vendemiat 3 hours ago | parent | next [-]

Sorry! status message was not clear. DNSSEC validation is temporarily disabled only for .de domains.

	▲	tptacek 2 hours ago \| parent [-]
		That's not much better!

▲

fastest963 2 hours ago | parent | prev [-]

[flagged]

▲

jonah-archive an hour ago | parent | next [-]

Originally it said:

---

The issue has been identified as a DNSSEC signing problem at DENIC, the organization responsible for the .DE top-level domain. Cloudflare has temporarily disabled DNSSEC validation on 1.1.1.1 resolver in order to allow .DE names to continue to resolve. DNSSEC validation will be re-enabled when the signing problems at DENIC are known to have been resolved.

---

(and in case it changes again, now it says)

---

The issue has been identified as a DNSSEC signing problem at DENIC, the organization responsible for the .DE top-level domain. Cloudflare has temporarily disabled DNSSEC validation for .de domains on 1.1.1.1 resolver (as per RFC 7646) in order to allow .DE names to continue to resolve. DNSSEC validation will be re-enabled when the signing problems at DENIC are known to have been resolved.

See RFC 7646 for more details: https://datatracker.ietf.org/doc/html/rfc7646

---

	▲	tptacek an hour ago \| parent [-]
		The RFC 7646 thing here is the funniest possible addition. This is the greatest day.

▲

tptacek 2 hours ago | parent | prev [-]

It didn't originally say that. They added the clarification just a few minutes ago. The guidelines ask you not to ask people these kinds of questions, for what it's worth.