benjojo.co.uk

benjojo posted 05 May 2026 21:18 +0000

Another win for DNSSEC

Unmatched at turning small ops mistakes into country wide ops consequences

remmy@social.treehou.. replied 05 May 2026 21:47 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/8XzSxpR2BSKNdkVvTF

@benjojo

Ssshh, don't let BGP hear you say that, it might get upset.

benjojo replied 05 May 2026 21:53 +0000
in reply to: https://social.treehouse.systems/users/remmy/statuses/116524165124553084

@remmy I mean, you just replied that to the bgp.tools guy :)

benjojo replied 05 May 2026 21:21 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/8XzSxpR2BSKNdkVvTF

[ DNSSEC Bone Crunching Noises ]

Seemingly the actual sigs that were made do not validate:

RRSIG denic.de/DS alg 8, id 33834: The cryptographic signature of the RRSIG RR does not properly validate. See RFC 4035, Sec. 5.3.3.

A dnsviz graph showing the DNSKEY to DS record in .de failing

marius@kiessling.soc.. replied 05 May 2026 21:33 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/6vW9h3WdZ4wVwhmrrG

@benjojo what’s a bit concerning is this current update: „DENIC eG is currently experiencing a disruption in its DNS service for .de domains. As a result, all DNSSEC-signed .de domains are currently affected in their reachability.“

That’s actually downplaying the impact. All DNSSEC-verifying resolvers cannot resolve DE domains. Even non-signed zones are affected.

benjojo replied 05 May 2026 21:38 +0000
in reply to: https://kiessling.social/users/marius/statuses/116524108098551037

@marius I've just always had DNSSEC off with my resolvers, It's long written about how DNSSEC doesn't really make a lot of sense for almost all use cases. One of the few cases where it really would be a lot better if the whole thing was redesigned rather than try and fix what we have

marius@kiessling.soc.. replied 05 May 2026 21:41 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/6G72BS7m5Q68hrSNJ6

@benjojo yeah I don’t disagree with you. The problem for most consumers seems to be that big recursive resolvers like Google and Cloudflare don’t serve responses if DNSSEC validation fails.

benjojo replied 05 May 2026 21:55 +0000
in reply to: https://kiessling.social/users/marius/statuses/116524142248591068

@marius most users (especially in the residential segment) do not use alt DNS resolvers: https://benjojo.co.uk/u/benjojo/h/vCBrLDlzrd7vyd9nHg

pikesley@mastodon.me.. replied 05 May 2026 21:18 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/8XzSxpR2BSKNdkVvTF

@benjojo Ohh that's what it was