Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The buried lede here seems to be that this is yet another serious outage (indirectly) caused by using DNSSEC, though I understand why they don’t emphasize this part, given their strong advocacy for DNSSEC adoption.


As I read it, DNSSEC signature expiry was what triggered people noticing the root data was stale. That would seem to be a somewhat positive outcome.


> DNSSEC signature expiry was what triggered people noticing the root data was stale

If you noticed your brakes had failed because you ended up in a ditch I wouldn't really say that's a positive outcome.

Frankly I can't believe they don't have better monitoring for a system as critical as that.


Would you rather an error or stale dns?


Having had to troubleshoot a third-party service not so dissimilar to 1.1.1.1 and prove to them that their infrastructure was misbehaving in a similar manner, I'll take the error thank you.


Well it's a free public resolver service. There's plenty of other options and you can even run your own very easily.


I don't know why Cloudflare, like Amazon, often get a free-pass on HN for their DNS implementation bugs. Regardless of DNSSEC's merits or otherwise, this bug isn't inherent to DNSSEC.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: