When DNSSEC goes wrong: how we responded to the .de TLD outage
On May 5, 2026, at roughly 19:30 UTC, DENIC, the registry operator for the .de country-code top-level domain (TLD), started publishing incorrect DNSSEC signatures for the .de zone. Any validating DNS resolver receiving these signatures was required by the DNSSEC specification to reject them and return SERVFAIL to clients, including 1.1.1.1, the public DNS resolver operated by Cloudflare.
The country-code top-level domain for Germany, .de, is one of the largest on the Internet. On Cloudflare Radar, it consistently ranks among the most broadly queried TLDs globally. An outage at this level of the DNS hierarchy has the potential to make millions of domains unreachable.
In this post, we’ll walk through what we saw, the impact of these events, and how we applied temporary mitigations while DENIC resolved the issue.
DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS. When a zone is signed with DNSSEC, each set of records is accompanied by a digital signature known as an RRSIG record that lets a resolver verify the records haven’t been tampered with. Unlike encrypted DNS protocols, such as DNS over TLS (DoT) and DNS over HTTPs (DoH), DNSSEC is about Continue reading
Cisco Live means human connectivity
Why You Should Attend Cisco Live — and Actually Talk to People Back in 2022, I wrote a post covering everything Cisco Live has to offer: the technical sessions, the…
The post Cisco Live means human connectivity appeared first on AboutNetworks.net.
Booting Debian on Pi 3B with USB WiFi Adapter Connected
The Raspberry Pi 3 Model B (RPi 3B) is a popular platform for (Do-It-Yourself) servers […]
The post Booting Debian on Pi 3B with USB WiFi Adapter Connected first appeared on Brezular's Blog.
Calculating The Kubernetes Integration Tax: What Your DIY Networking Stack Actually Costs
It was 11:47pm on a Thursday night, and a senior platform engineer at a large North American bank was rolling back a ‘simple’ configuration change. The change itself was small, a routine update approved through the usual review process, but when it was applied, pods began cycling and connections started dropping. For the next three seconds, mobile banking sessions already mid-transaction dropped. Customer support lit up. The incident review the next morning spent most of its time arguing about how the change had been approved. Almost no one asked the harder question: why a configuration change in one place broke something seemingly unrelated.
That question rarely gets a clean answer. What looks like a single layer is usually one knot in a stack of five to seven products including a CNI, network policy, service mesh, observability, threat detection and compliance tooling that come from different vendors and were never designed to operate as one system. Each one works. The gaps between them are where the risk, and the cost, lives.
This is just one example of the Kubernetes integration tax.
What is the Kubernetes Integration Tax?
The Kubernetes integration tax is the cumulative cost in engineer time, security exposure, Continue reading
D2D
t's a new space race with a number of satellite operators pushing out LEO satellite services that operate directly to hand-held devices, or D2D.You cannot sell AI written software
You may have seen it too. This trend of “I wrote some software to solve a problem. I think it’s pretty great. Does anyone have any feedback?”. Maybe it’s a budget app. Or some company management thingy, tracking sales. Or invoicing.
Maybe you take a look. It looks pretty slick. But then you get a feeling of uncanny valley. It’s just not right. Maybe you can’t even put your finger on it.
I’m not an accountant, so when I see some accounting software do something in a different way, it’s interesting. Why is it that way? What can I learn from the fact that a professional thinks it should be this way?
You already know what’s weird about it, if nothing else because of the title of this post. The software works this way because the LLM wrote it that way. There’s no reason. It’s not even wrong.
How do you give “feedback” on that? My feedback would be that you don’t understand the problem you’re trying to solve, and have shown no sign you intend to understand it, so how could you possibly think you can solve it?
You’re not asking for feedback. You’re asking for someone Continue reading
SONiC Part II: Deploy a SONiC Switch Clos Topology
Introduction
This
chapter explains how to create and deploy a simple SONiC-based Clos topology in
WSL using Containerlab. First, we open VS Code from WSL to create and edit a
topology definition file. Next, we build the topology by defining nodes (SONiC
switches and Linux hosts) and the links between them. Before deploying the lab,
we verify the wiring with Containerlab’s built-in topology graph. Finally, we
deploy the topology and validate access to the nodes using both a Linux shell
and the SONiC CLI (vtysh).
Phase 1: Integrate VS Code with WSL
There
are a couple of ways to use VS Code with WSL. In this lab, we launch VS Code
from the WSL terminal using code .. The first time you run this
command, VS Code installs the VS Code Server components inside WSL and then
opens a VS Code window connected to the Linux environment. After the
installation completes, running code . from any directory opens that
folder directly in VS Code.
nwkt@Toni:~$
code .
Updating
VS Code Server to version 034f571df509819cc10b0c8129f66ef77a542f0e
Removing
previous installation...
Installing
VS Code Server for Linux x64 (034f571df509819cc10b0c8129f66ef77a542f0e)
Downloading:
100%
Unpacking:
100%
Unpacked
3505 files and folders to
/home/nwkt/.vscode-server/bin/034f571df509819cc10b0c8129f66ef77a542f0e.
Looking for compatibility check Continue reading
SwiNOG 41: It Was Nice to Be Back
Last week’s SwiNOG was (as expected) great fun at a phenomenal location, starting with the first slide of the first presentation: “6 Stages of Network De-sh*tification”. I particularly loved the “talk less, chat more” schedule. The longer breaks gave us plenty of time to catch up with old friends and discuss interesting, sometimes completely unexpected, topics. For example, I learned that SIP MESSAGE is used to carry SMS messages these days.
As much as I loved chatting with fellow networking engineers, I also found these presentations highly interesting:
Simple Wireguard VPN Setup with wg-easy
WireGuard is a modern VPN protocol that is fast, lightweight, and much simpler to set up compared to other options like OpenVPN. It runs in the Linux kernel, uses modern cryptography, and the configuration is just a few lines, which makes it a great choice for personal use.
The problem is, even though WireGuard itself is simple, managing peers can get tedious. You have to generate key pairs, edit config files, hand out configs to each device, and keep track of who has access to what. If you have a few family members or friends who want to use your VPN, this quickly becomes a hassle.
This is where wg-easy can help. It is a simple open-source web UI that sits on top of WireGuard and takes care of all the boring bits for you. You can add or remove clients with a single click, generate QR codes for mobile devices, and see who is connected, all from a clean web interface.
In this post, I will walk you through how to set up wg-easy so you can have your own self-hosted VPN running in just a few minutes.
Lab Topology
Before we get into the setup, let me quickly Continue reading
Rolling the Root Key
In October 2026 the Key-Signing Key of the DNS Root Zone will rolled to a new value. Can we measure how well DNS Resolvers that perform DNSSEC validation are prepared for this change in the trusted root key?I Vibe-Coded My CV Into a CLI
UPDATE - Since publishing this post, I have also added a Palo Alto style CV to the site. I will update the post with more details on that later.
If you do not have the patience to read the rest of this post, here is the site. Type enable and then run any of the usual commands like show version, show ip interface brief, or show ip route to browse through the CV. It is still early days, but I am hoping to make some improvements over time. If you like it, give me a clap on the right.
Overview
I have been thinking about doing this for a long time, but I always assumed it would be a difficult task. I was wrong. I think I had it up and running in about an hour. The idea is that a site that looks and feels like a CLI, where you can run the usual show commands and get output, except the output is my CV.
I have no web development experience, so I used Claude for the entire thing. I started by giving Claude a prompt explaining what I wanted, and asked it to generate Continue reading
Code Orange: Fail Small is complete. The result is a stronger Cloudflare network
Over the past two and a bit quarters, we've undertaken an intensive engineering effort, internally code-named "Code Orange: Fail Small", focused on making Cloudflare's infrastructure more resilient, secure, and reliable for every customer.
Earlier this month, the Cloudflare team finished this work.
While improving resiliency will never be a “job done” and will always be a top priority across our development lifecycle, we have now completed the work that would have avoided the November 18, 2025 and December 5, 2025 global outages.
This work focused on several key areas: safer configuration changes, reducing the impact of failure, and revising our “break glass” procedures and incident management. We also introduced measures to prevent drift and regressions over time, and strengthened the way we communicate to our customers during an outage.
Here we explain in depth what we shipped, and what it means for you.
What it means for you: In most cases, Cloudflare internal configuration changes no longer reach our network instantly and are instead rolled out progressively with real-time health monitoring. This allows our observability tools to catch problems and revert issues before they affect your traffic.
In order to catch potentially dangerous deployments Continue reading
HN825: Faster Than Dijkstra? Exploring a New Shortest-Path Algorithm with Bruce Davie
Dijkstra’s algorithm is the foundation of shortest path calculations for link state routing protocols. But researchers have developed a new algorithm that improves on this decades-old approach. Today’s Heavy Networking welcomes Dr. Bruce Davie to discuss the potential of this new algorithm to unseat Dijkstra. After thoughtful consideration, and consultation with others, his opinion is... Read more »Introducing Dynamic Workflows: durable execution that follows the tenant
When we first launched Workers eight years ago, it was a direct-to-developers platform. Over the years, we have expanded and scaled the ecosystem so that platforms could not only build on Workers directly, but they could also enable their customers to ship code to us through many multi-tenant applications. We now see on Workers: Applications where users describe what they want, and the AI writes the implementation. Multi-tenant SaaS where every customer's business logic is, at runtime, some TypeScript the platform has never seen before. Agents that write and run their own tools. CI/CD products where every repo defines its own pipeline.
Last month, when we shipped the Dynamic Workers open beta, we gave those platforms a clean primitive for the compute side: hand the Workers runtime some code at runtime, get back an isolated, sandboxed Worker, on the same machine, in single-digit milliseconds. Durable Object Facets extended the same idea to storage — each dynamically-loaded app can have its own SQLite database, spun up on demand, with the platform sitting in front, as a supervisor. Artifacts did the same for source control: a Git-native, versioned filesystem you can create by the tens of millions, one per agent, Continue reading