de

this is the sharper, event-driven version of the previous anti-DNSSEC thesis, if a major resolver bypasses validation during a registry signing failure, the operational model looks fragile.

Original source

Imported from historical reading log.

  • Extracted main post via api.fxtwitter.com fallback; inspected attached screenshot separately.
  • Thomas Ptacek argues the .de incident is decisive evidence against DNSSEC as core Internet security functionality.
  • Attached screenshot captures Cloudflare status text saying it temporarily disabled DNSSEC validation on 1.1.1.1 so .de names would continue resolving while DENIC fixed a DNSSEC signing problem.
  • Why it matters: this is the sharper, event-driven version of the previous anti-DNSSEC thesis, if a major resolver bypasses validation during a registry signing failure, the operational model looks fragile.
  • Useful paired angle with the linked essay: theory from 2015 plus real outage behavior in 2026.