Hello and welcome to the Thursday, May 7th, 2006 edition of the Sands Internet Stormsiders.

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

And this episode is brought you by the Sands.edu undergraduate certificate program in cyber security fundamentals.

Well, it's not DNS. There's no way it's DNS. And in the end, it was DNS.

This good old DNS haiku again became true yesterday with the dot-de-de, the German country top-level domain.

Apparently what happened here was a DNSSEC issue.

DNSSEC, as I have often said, is one of those protocols that, well, they actually let the

security people develop the protocol.

You always complain that protocols aren't secure enough because security. those protocols that, well, but they actually let the security people develop the protocol.

You always complain that protocols aren't secure enough because security people never sort of get a say in the development until it's too late. Well, Dinesek, I think, is sort of an example

where it went the other way around. And as a result, it's a pretty complex protocol, lots of moving parts, lots of things that can go wrong,

and then, well, in the sense of good security, if it goes wrong, it usually just stops working.

So it's one of those, you know, fail-closed kind of systems, and that's kind of what happened here with the.de zone.

The problem apparently was key rotation, like with all cryptographic systems, you need to rotate your keys ever so often,

which then also means that you need to change signatures.

Well, Dinesek has a mechanism for this,

where you first basically make a new key life.

You advertise a new key,

and the old key remains valid and also remains accessible.

But then you start updating signatures.

Apparently something here went wrong.

They haven't really released any

...