Sign in Subscribe
DNSSEC

Hope Is Not a Strategy

Team NLnet Labs

3 min read
Hope Is Not a Strategy

Open source software is often the unglamorous workhorse in your server rack, the silent operator in your stack, and the punk soul in your operations pipeline. 

It's thoroughly tested and trusted for all the right reasons. But when your business depends on it, you still need a lifeline.

"Having enterprise-grade support from the people who wrote the code—and know the stakes—means you're not gambling your business on the generosity of volunteers. You're paying for reliability, ongoing improvements, the privilege of yelling at someone when everything hits the fan—and getting answers that matter when it counts." 

— Alex Band, Director of Product Development at NLnet Labs

The Myth of Free

Open source is "free" the same way a stray dog is free. Sure, you can take it home, but you'd better be ready to feed it, train it, and rush it to the vet when it swallows a thumb drive. Mission‑critical systems demand stability, security, and accountability—not just awesome code and a README.

And in today’s regulatory climate, they also demand compliance—think NIS2, which brings stricter obligations around DNS infrastructure, incident handling, and supply chain resilience across the EU.

DNSSEC Signing: The Quiet Cornerstone of Security

Let’s narrow the focus: DNSSEC signing. It may not sound sexy, but it’s one of those critical pieces of digital infrastructure that quietly holds everything together. When it fails, you’re staring down outages, trust in freefall and reputation damage.

What TLDs Say: The Real Voices from the Frontline

If a registry managing top-level domains goes dark, hospitals, banks, and e-commerce sites go offline with it. Government portals can’t deliver essential services. Businesses stop transacting. And across the country, people can’t connect, communicate, order, or pay.

So, we asked 16 TLD operators: What keeps you up at night?  The answers were illuminating, and they echo everything you dread:

  • Trust, continuity, compliance are now baseline concerns
    The conversation wasn’t about making tools faster—it was about building infrastructure that ends hero ops, and can be audited, transferred, and trusted beyond any single person.
  • Uptime isn’t enough
    It isn’t just “keep it running.” It’s “keep it running resiliently.” Observability, accountability, and a documented chain of recovery matter just as much.
  • Support models are inconsistent (and often weak)
    Only about 50% of surveyed TLDs have formal SLAs or contracts for support. Another ~35% have 'someone they can call.' And ~15% are totally on their own if something breaks.
  • Observability, validation, and auditable pipelines are often missing
    Many TLDs use manual validation tools (like DNSViz) or internal scripts. Few have full, automated, built‑in visibility between every stage of the signing process. They often don’t know something’s wrong until after damage is done.
  • Recovery / fallback plans are spotty
    If failure is inevitable—and every TLD agrees it is—then recovery must be built in. But many respondents said their fallback strategies are unclear, undocumented, or rely on tribal knowledge.

From Theory to the Trenches

DNSSEC signing at scale is meticulous, ongoing work. We designed and built Cascade—on the feedback of 16 leading TLDs—because legacy systems just aren't cutting it anymore.

People are done with failed cron jobs and brittle XML configs. Auditors? Even less forgiving—demanding full visibility, traceability, and processes you can prove under pressure.

Cascade isn’t a silver bullet. But it’s what happens when open source meets professional-grade engineering and real-world support.

The Bottom Line

If DNSSEC is part of your critical path—if you're signing zones, managing key lifecycles, or keeping trust chains intact for millions of users—you owe it to yourself and your customers to replace legacy tooling, cowboy coding and hero ops with open source tooling built on today’s corporate reality, with enterprise support that understands the weight of what you're protecting.

Cascade is what happens when open source meets professional-grade engineering and real-world support.

It means having the pros on your team and in the room when the auditors or tough questions come. Support also means we’ll help you migrate from your current system to Cascade—end to end.


That’s how you build trust. 
That's how you sleep at night.

Unbox with us

Cascade officially launches on October 7th at OARC 45 in Stockholm. Contact Alex Band at NLnet Labs if you want to explore support options for your organisation today.  

Sign up for more like this.

Enter your email
Subscribe