de
this is the sharper, event-driven version of the previous anti-DNSSEC thesis, if a major resolver bypasses validation during a registry signing failure, the operational model looks fragile.
Imported from historical reading log.
- Extracted main post via
api.fxtwitter.comfallback; inspected attached screenshot separately. - Thomas Ptacek argues the
.deincident is decisive evidence against DNSSEC ascore Internet security functionality. - Attached screenshot captures Cloudflare status text saying it temporarily disabled DNSSEC validation on
1.1.1.1so.denames would continue resolving while DENIC fixed a DNSSEC signing problem. - Why it matters: this is the sharper, event-driven version of the previous anti-DNSSEC thesis, if a major resolver bypasses validation during a registry signing failure, the operational model looks fragile.
- Useful paired angle with the linked essay:
theory from 2015plusreal outage behavior in 2026.