Anyone else seeing DNSSEC failures from EU Commission ? (european-union.europa.eu)

Arne Jensen darkdevil at darkdevil.dk
Thu Dec 9 09:06:44 UTC 2021


Den 08-12-2021 kl. 15:32 skrev Niels Bakker:
> * darkdevil at darkdevil.dk (Arne Jensen) [Wed 08 Dec 2021, 15:23 CET]:
>> To me, that part of it also points towards a broken implementation at 
>> CloudFlare, letting a bogus (insecure) responses take effect anyway.
>
> Or they prefer allowing people to visit websites over punishing system 
> administrators for operational failures that less secure (read: 
> nonvalidating) ISPs wouldn't inflict on their customers.
I find it hard to believe that CloudFlare would do such though, however, 
while such kind of things could indeed be the cause, I'm personally 
going towards "Rather safe, than sorry".
>
> It's been quite common for DNSSEC-enabled recursors to add overrides 
> for outaged domains in situations like this.

Unfortunately, yes, overrides are too common for many different things. 
Time for them (the overrides) to die completely.

>
> It looks like the error has been mitigated, by the way, so this manual 
> override may not even have happened.

+1.

-- 
Med venlig hilsen / Kind regards,
Arne Jensen



More information about the NANOG mailing list