When DNSSEC goes wrong: how we responded to the .de TLD outage

On May 5, 2026, at roughly 19:30 UTC, DENIC, the registry operator for the .de country-code top-level domain (TLD), started publishing incorrect DNSSEC signatures for the .de zone. Any validating DNS resolver receiving these signatures was required by the DNSSEC specification to reject them and return SERVFAIL to clients, including 1.1.1.1, the public DNS resolver operated by Cloudflare.

The country-code top-level domain for Germany, .de, is one of the largest on the Internet. On Cloudflare Radar, it consistently ranks among the most broadly queried TLDs globally. An outage at this level of the DNS hierarchy has the potential to make millions of domains unreachable.

In this post, we’ll walk through what we saw, the impact of these events, and how we applied temporary mitigations while DENIC resolved the issue.

How DNSSEC works

DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS. When a zone is signed with DNSSEC, each set of records is accompanied by a digital signature known as an RRSIG record that lets a resolver verify the records haven’t been tampered with. Unlike encrypted DNS protocols, such as DNS over TLS (DoT) and DNS over HTTPs (DoH), DNSSEC is about Continue reading

Worth Reading 050626


DDoS mitigation often relies on BGP for “scrubbing”, but how this appears in routing data is not well understood. We analyse five major providers to distinguish between always-on and on-demand protection.

 


This column argues that without AI, adequate privacy has become simply out of reach. This is not because AI is benign; it most definitely is not. Rather, the modern digital ecosystem has evolved to a point where no human, unaided, can understand, monitor, or manage the complexity of today’s data practices.

 


Conventional memory schemes follow the Pareto Principle, in which approximately maintaining 20% hot data can meet 80% of requests. L

 


Google has just forked its Tensor Processing Unit, or TPU, designs for these two workloads, the very first time in more than a decade that TPU systems of the same generation were truly architecturally distinct from each other.

 


Fake domains are not a new problem. What’s now changing is the scale and how easily attackers can blend into your domain ecosystem with lookalikes, inactive registrations, and domains set up purely for email.

Hmmm: Cloudflare’s Automatic Return Routing

A while ago, I found the How Automatic Return Routing solves IP overlap article on Cloudflare’s blog. They evidently have a technology that addresses a pain point well worth solving (access to shared resources from clients using overlapping address ranges). I just hate how they’re selling it. Go read the article first; I’ll wait.

OK, here’s what bothers me: the “VRFs and NAT are bad” claims, while they use the same technology in disguise.

Read more …

Calculating The Kubernetes Integration Tax: What Your DIY Networking Stack Actually Costs

It was 11:47pm on a Thursday night, and a senior platform engineer at a large North American bank was rolling back a ‘simple’ configuration change. The change itself was small, a routine update approved through the usual review process, but when it was applied, pods began cycling and connections started dropping. For the next three seconds, mobile banking sessions already mid-transaction dropped. Customer support lit up. The incident review the next morning spent most of its time arguing about how the change had been approved. Almost no one asked the harder question: why a configuration change in one place broke something seemingly unrelated.

That question rarely gets a clean answer. What looks like a single layer is usually one knot in a stack of five to seven products including a CNI, network policy, service mesh, observability, threat detection and compliance tooling that come from different vendors and were never designed to operate as one system. Each one works. The gaps between them are where the risk, and the cost, lives.

This is just one example of the Kubernetes integration tax.

What is the Kubernetes Integration Tax?

The Kubernetes integration tax is the cumulative cost in engineer time, security exposure, Continue reading

PP108: How to Build and Sustain a Successful Zero Trust Project

In theory, a zero trust initiative seems straightforward: you just need the right tools and maybe some whiteboard sessions to work out the architecture. In practice, our guests note that zero trust “unfolds inside organizations filled with legacy systems, political friction, budget constraints, and competing priorities.” Without accounting for those complications, a zero trust project... Read more »

ARP Issues in EVPN Centralized Routing Design

Adding IRB to a EVPN MAC-VRFs (the fancy way of saying stretched VLANs) seems like a no-brainer:

  • Add IP addresses to VLAN interfaces
  • Optionally add a shared anycast gateway
  • Declare “Mission Accomplished” (and try to ignore the inevitable phone call at 2 AM on a Sunday night)

Making that work in a multi-vendor environment is even more fun1, as I sadly discovered when creating the EVPN lab exercises or trying to figure out why some EVPN implementations were failing netlab EVPN integration tests.

Read more …

D2D

t's a new space race with a number of satellite operators pushing out LEO satellite services that operate directly to hand-held devices, or D2D.

You cannot sell AI written software

You may have seen it too. This trend of “I wrote some software to solve a problem. I think it’s pretty great. Does anyone have any feedback?”. Maybe it’s a budget app. Or some company management thingy, tracking sales. Or invoicing.

Maybe you take a look. It looks pretty slick. But then you get a feeling of uncanny valley. It’s just not right. Maybe you can’t even put your finger on it.

I’m not an accountant, so when I see some accounting software do something in a different way, it’s interesting. Why is it that way? What can I learn from the fact that a professional thinks it should be this way?

You already know what’s weird about it, if nothing else because of the title of this post. The software works this way because the LLM wrote it that way. There’s no reason. It’s not even wrong.

How do you give “feedback” on that? My feedback would be that you don’t understand the problem you’re trying to solve, and have shown no sign you intend to understand it, so how could you possibly think you can solve it?

You’re not asking for feedback. You’re asking for someone Continue reading

Worth Reading 050426


What can we learn about QUIC deployments just by listening to unsolicited QUIC traffic? This question becomes specifically exciting since QUIC aims for enhanced privacy by obfuscating metadata.

 


Securing AI means securing all the AI layers and throughout the lifecycle: data, model, and applications, in training and in inference.

 


According to a Reuters report, Meta is installing tracking software on its employees’ work computers. The tool, called Model Capability Initiative (MCI), will log mouse movements, clicks, and keystrokes. It will also take occasional screenshots of employees’ screens.

 


Despite its usage, the behaviour of BGP-based scrubbers is not well understood, such as whether scrubbers are always on-path or activated on-demand.

 


The UK’s National Cyber Security Centre (NCSC) has officially endorsed passkeys as the default authentication standard, marking the first time the agency has told consumers to move away from passwords entirely.

NB573: Cisco Open-Sources OpenClaw Protection; T-Mobile Taps Starlink for Broadband Redundancy

Take a Network Break! It’s a busy show this week. We start with follow-up on Anthropic’s Project Glasswing, router bans, and end-of-engineering/end-of-support date changes for Fortinet’s FortiOSv7.4. Our Red Alert warns of 13 critical CVEs in the Linux kernel (all of which can be addressed by updating to version 7). On the news front, Cisco... Read more »

SONiC Part II: Deploy a SONiC Switch Clos Topology

 

Introduction

 

This chapter explains how to create and deploy a simple SONiC-based Clos topology in WSL using Containerlab. First, we open VS Code from WSL to create and edit a topology definition file. Next, we build the topology by defining nodes (SONiC switches and Linux hosts) and the links between them. Before deploying the lab, we verify the wiring with Containerlab’s built-in topology graph. Finally, we deploy the topology and validate access to the nodes using both a Linux shell and the SONiC CLI (vtysh).

Phase 1: Integrate VS Code with WSL




There are a couple of ways to use VS Code with WSL. In this lab, we launch VS Code from the WSL terminal using code .. The first time you run this command, VS Code installs the VS Code Server components inside WSL and then opens a VS Code window connected to the Linux environment. After the installation completes, running code . from any directory opens that folder directly in VS Code.

nwkt@Toni:~$ code .

Updating VS Code Server to version 034f571df509819cc10b0c8129f66ef77a542f0e

Removing previous installation...

Installing VS Code Server for Linux x64 (034f571df509819cc10b0c8129f66ef77a542f0e)

Downloading: 100%

Unpacking: 100%

Unpacked 3505 files and folders to /home/nwkt/.vscode-server/bin/034f571df509819cc10b0c8129f66ef77a542f0e.

Looking for compatibility check Continue reading

SwiNOG 41: It Was Nice to Be Back

Last week’s SwiNOG was (as expected) great fun at a phenomenal location, starting with the first slide of the first presentation: “6 Stages of Network De-sh*tification”. I particularly loved the “talk less, chat more” schedule. The longer breaks gave us plenty of time to catch up with old friends and discuss interesting, sometimes completely unexpected, topics. For example, I learned that SIP MESSAGE is used to carry SMS messages these days.

As much as I loved chatting with fellow networking engineers, I also found these presentations highly interesting:

Read more …
1 3 4 5 6 7 3,872