On Wed, Dec 8, 2021 at 6:35 AM Niels Bakker <niels=nanog@bakker.net> wrote:
* darkdevil@darkdevil.dk (Arne Jensen) [Wed 08 Dec 2021, 15:23 CET]:
>To me, that part of it also points towards a broken implementation at
>CloudFlare, letting a bogus (insecure) responses take effect anyway.

Or they prefer allowing people to visit websites over punishing
system administrators for operational failures that less secure (read:
nonvalidating) ISPs wouldn't inflict on their customers.

It's been quite common for DNSSEC-enabled recursors to add overrides
for outaged domains in situations like this.

It’s quite common for DNSSEC to fail at spectacular scale 

It is also common for DNSSEC to be weaponized in colossal ddos attacks. 

What’s uncommon? Attacks that DNSSEC is intended to solve. 

Don’t wait for the rfc. 

You dont need a weatheman. 

DNSSEC is considered harmful on the internet




It looks like the error has been mitigated, by the way, so this manual
override may not even have happened.


        -- Niels.