Mastodawn

John Shaft 7h ago

Hey, .ml (ccTLD for Mali) is using #ed25519 !

$ dig +short ml. DS
21942 15 2 <crypto shenanigans>

(the number 15 indicates algorithm 15 aka ed25519)

So number of #TLD using algorithm 15: 3
- .fj (Fiji)
- .pg (Papua New Guinea)
- .ml

#DNSSEC

BastilleBSD

8h ago

Reviewing DNS logs and noticed that `vuxml.freebsd.org` fails DNSSEC validation but `matrix-dev.freebsd.org` passes.

Can anyone else confirm or is my software buggy?

#FreeBSD #DNSSEC

Stefan Schmidt 9h ago

Ok, jetzt ist es offiziell peinlich.

#denic #dnssec

https://blog.denic.de/analyse-des-dns-ausfalls-vom-5-mai-2026/

Analyse des DNS-Ausfalls vom 5. Mai 2026

Stand Frankfurt am Main, 8.5.2026 Im Rahmen eines regulären DNSSEC-Schlüsselwechsels am 5.5.2026 wurden teilweise nicht validierbare Signaturen erzeugt und verteilt. Hierdurch konnten validierende Resolver ihre DNS-Antworten für .de-Domains zeitweise nicht erfolgreich verifizieren. Dies führte zu spürbaren Einschränkungen bei der Erreichbarkeit von .de-Domains für ca. drei Stunden.

DENIC Blog

JP Mens 9h ago

DENIC: “Analysis of the DNS outage on 5 May 2026”

English: https://blog.denic.de/en/analysis-of-the-dns-outage-on-5-may-2026/

German: https://blog.denic.de/analyse-des-dns-ausfalls-vom-5-mai-2026/

#dnssec

Analysis of the DNS outage on 5 May 2026

Frankfurt am Main, 8 May 2026 During a routine DNSSEC key rollover on 5 May 2026, some non-validatable signatures were generated and distributed. As a result, validating resolvers were temporarily unable to successfully verify their DNS responses for .de domains. This led to noticeable restrictions in the accessibility of .de

DENIC Blog

Show thread

پویان Pouyan 9h ago

But this statement specially caught my attention:

Some operators of large resolvers had temporarily deactivated the validation of .de domains, thereby mitigating the impact on their users. We would like to thank them for their help.

It’s about #DNSSEC “negative trust anchors” or #NTA as defined in RFC7646. It states:

Technical personnel trained in the operation of DNS servers must confirm that a DNSSEC validation failure is due to misconfiguration, as a similar breakage could have occurred if an attacker gained access to a domain’s authoritative servers and modified those records or had the domain pointed to their own rogue authoritative servers. They should also confirm that the domain is not intentionally broken, such as for testing purposes as noted in Section 6. Finally, they should make a reasonable attempt to contact the domain owner of the misconfigured zone, preferably prior to implementing the NTA.

(Emphasis by me).

The aforementioned statement from DENIC as well as those by @cloudflare and @quad9dns indicate that no correspondence happened between DENIC and resolver operators before NTA was applied.

I didn’t like NTA from the very beginning, and now even more.

RFC 7646: Definition and Use of DNSSEC Negative Trust Anchors

DNS Security Extensions (DNSSEC) is now entering widespread deployment. However, domain signing tools and processes are not yet as mature and reliable as those for non-DNSSEC-related domain administration tools and processes. This document defines Negative Trust Anchors (NTAs), which can be used to mitigate DNSSEC validation failures by disabling DNSSEC validation at specified domains.

IETF Datatracker

Show thread

پویان Pouyan 9h ago

#DENIC published a blog on what went wrong on May 5th with the #DNSSEC on .de namespace:

https://blog.denic.de/en/analysis-of-the-dns-outage-on-5-may-2026/

It was a faculty piece of software. The described impact matches to what I could observe using DNSViz data.

#DNS

Analysis of the DNS outage on 5 May 2026

Frankfurt am Main, 8 May 2026 During a routine DNSSEC key rollover on 5 May 2026, some non-validatable signatures were generated and distributed. As a result, validating resolvers were temporarily unable to successfully verify their DNS responses for .de domains. This led to noticeable restrictions in the accessibility of .de

DENIC Blog

Show thread

پویان Pouyan 10h ago

@miekg if you missed it, they published a new blog post:

https://blog.denic.de/en/analysis-of-the-dns-outage-on-5-may-2026/

I'm reading it now.

#denic #dnssec

Analysis of the DNS outage on 5 May 2026

Frankfurt am Main, 8 May 2026 During a routine DNSSEC key rollover on 5 May 2026, some non-validatable signatures were generated and distributed. As a result, validating resolvers were temporarily unable to successfully verify their DNS responses for .de domains. This led to noticeable restrictions in the accessibility of .de

DENIC Blog

heise Security 10h ago

DNS-Probleme mit .de-Domains: DENIC liefert erste Erklärung

Fehlerhafte Signaturen haben am Mittwoch Ausfälle von .de-Domains verursacht. Die Verantwortlichen bei der DENIC haben jetzt Erklärungen geliefert.

https://www.heise.de/news/DNS-Probleme-mit-de-Domains-DENIC-liefert-erste-Erklaerung-11288197.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#DeNIC #DNS #DNSSEC #IT #news

DNS-Probleme mit .de-Domains: DENIC liefert erste Erklärung

Fehlerhafte Signaturen haben am Mittwoch Ausfälle von .de-Domains verursacht. Die Verantwortlichen bei der DENIC haben jetzt Erklärungen geliefert.

heise online

🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉13h ago

Heise berichtet: DNS‑Fehler verhindert die Auflösung von .de‑Domains – zahlreiche Dienste (Apps, Web, Mail) betroffen; fehlerhafte DNSSEC‑Signatur. DENIC arbeitet am Fix; temporärer Workaround: nicht‑validierende DNS‑Server. Mehr: https://www.heise.de/news/DNS-Probleme-de-Domains-nicht-erreichbar-11283192.html ⚠️🌐🔧 #DNS #DNSSEC #deDomains #DENIC

Spanish Flea 🎶🎶🎶

https://youtu.be/aBE9EQ7gXKI

#nemoradio