It is indeed a bit sad that Cloudflare had to turn off DNSSEC completely. But I completely understand that they don't have a production-ready, tested path to override DNSSEC validation for only some domains.

▲

vendemiat 3 hours ago | parent | next [-]

Sorry! status message was not clear. DNSSEC validation is temporarily disabled only for .de domains.

	▲	tptacek 3 hours ago \| parent [-]
		That's not much better!

▲

fastest963 3 hours ago | parent | prev [-]

[flagged]

▲

jonah-archive 2 hours ago | parent | next [-]

Originally it said:

---

The issue has been identified as a DNSSEC signing problem at DENIC, the organization responsible for the .DE top-level domain. Cloudflare has temporarily disabled DNSSEC validation on 1.1.1.1 resolver in order to allow .DE names to continue to resolve. DNSSEC validation will be re-enabled when the signing problems at DENIC are known to have been resolved.

---

(and in case it changes again, now it says)

---

The issue has been identified as a DNSSEC signing problem at DENIC, the organization responsible for the .DE top-level domain. Cloudflare has temporarily disabled DNSSEC validation for .de domains on 1.1.1.1 resolver (as per RFC 7646) in order to allow .DE names to continue to resolve. DNSSEC validation will be re-enabled when the signing problems at DENIC are known to have been resolved.

See RFC 7646 for more details: https://datatracker.ietf.org/doc/html/rfc7646

---

	▲	tptacek 2 hours ago \| parent [-]
		The RFC 7646 thing here is the funniest possible addition. This is the greatest day.

▲

tptacek 2 hours ago | parent | prev [-]

It didn't originally say that. They added the clarification just a few minutes ago. The guidelines ask you not to ask people these kinds of questions, for what it's worth.