DNSSEC disruption affecting .de domains – Resolved

Posted by warpspin 20 hours ago

DNSSEC disruption affecting .de domains – Resolved(status.denic.de)

719 points | 377 commentspage 7

dark-star 19 hours ago|

How come I have zero problems with any .de domain I tried accessing in the last half hour?

AndroTux 19 hours ago||

maybe your upstream doesn't validate DNSSEC?

dark-star 19 hours ago||

maybe? I'm using PiHole and 8.8.8.8/1.1.1.1 as upstream, and both options show "DNSSEC" next to their options in settings, so I assumed DNSSEC was enabled (unless I have to enable this somewhere else as well?)

warpspin 19 hours ago||

That's weird cause 8.8.8.8/1.1.1.1 will already answer with SERVFAIL right now, unless the domain is still in the cache.

dark-star 1 hour ago||

[dead]

pw6hv 19 hours ago||

cache

dark-star 1 hour ago||

unlikely, as I have also successfully tried domains that I never visited before (at least not in the last 12 months) and according to my PiHole log they were successfully retrieved from 1.1.1.1. and/or 8.8.8.8, which should use DNSSEC

jiggawatts 20 hours ago||

I work with a few people specialised in IT security, and some of them take their jobs too seriously and will "lock down" everything to the point that it becomes a very real risk that they lock out everyone including themselves.

Fundamentally, security is a solution to an availability problem: The desire of the users is for a system to remain available despite external attack.

Systems that become unavailable to everyone fail this requirement.

A door with its keyhole welded shut is not "secure", it's broken.

QuantumNomad_ 19 hours ago||

Security is not just a solution to availability. It is also to keep sensitive data (PII, or business secrets, or passwords, or cryptographic private keys, and so on) away from the hands of bad actors.

If I’m unable to use Amazon for 24 hours it doesn’t really matter. If a photo copy of my passport is leaked that’s worries and potential troubles for years.

senkora 19 hours ago||

Security = Confidentiality + Integrity + Availability

or alternatively,

Security = (exclude unauth'd reads) + (exclude unauth'd writes) + (include auth'd reads and auth'd writes)

Gotta satisfy all parts in order to have security.

jiggawatts 19 hours ago||

If you squint at it, you can convert all three to just availability.

    Confidentiality = available to us, but nobody else.

    Integrity = available to us in a pristine condition.

It's a bit reductive, I'll admit, but it can be a useful exercise in the same way that everything in an economy can be reduce to units of either: "human time", "money" or "energy". Roughly speaking they're interchangeable.

E.g.: What's the benefit to you if your data is so confidential that you can't read it either? This is a real problem with some health information systems, where I can't access my own health records! Ditto with many government bureaucracies that keep my records safe and secure from me.

dnnddidiej 18 hours ago||

That squint loses too much nuance. I don't think of a site data leak as an availiability problem.

Bad UX and bugs are in general not always an availiability problem.

If it hard to get what you want due to bad design but the site is up, the site is still up.

sanbaideng 19 hours ago||

aiimageupscaler

siginator 19 hours ago||

how is that possible?

aweiher 19 hours ago||

Solar Flares

dnnddidiej 18 hours ago||

Took more than cloud flares?

pogii123 20 hours ago||

For me bmw.de works but www.bmw.de not

benny_s 20 hours ago|

bmw.de is down for me too

MikeNotThePope 20 hours ago|||

Both domains page load for me from Amsterdam. I wonder if there's communication disruption. Undersea cable severed?

dark-star 19 hours ago|||

You mean the big undersea cable between the Netherlands and Germany? ;-)

MikeNotThePope 5 hours ago||

Lol, I meant between users across the sea who couldn't see and users in Europe who could.

pogii123 20 hours ago|||

$ nslookup bmw.de ~ Server: 8.8.8.8 Address: 8.8.8.8#53

Non-authoritative answer: Name: bmw.de Address: 160.46.226.165

$ nslookup www.bmw.de ~ ;; Got SERVFAIL reply from 8.8.8.8, trying next server Server: 8.8.4.4 Address: 8.8.4.4#53

* server can't find www.bmw.de: SERVFAIL

dark-star 19 hours ago|||

both work for me from inside Germany

neverrroot 18 hours ago||

[flagged]

evan0721 13 hours ago||

[dead]

blmaniac 20 hours ago||

[dead]

siginator 19 hours ago|

[dead]

More comments...