DNSSEC disruption affecting .de domains – Resolved

status.denic.de - 685 poäng - 355 kommentarer - 55215 sekunder sedan

Kommentarer (70)

krystofbe - 54550 sekunder sedan
Looks like a DNSSEC issue, not a nameserver outage. Validating resolvers SERVFAIL on every .de name with EDE:
RRSIG with malformed signature found for a0d5d1p51kijsevll74k523htmq406bk.de/nsec3 (keytag=33834) dig +cd amazon.de @8.8.8.8 works, dig amazon.de @a.nic.de works. Zone data is intact, DENIC just published an RRSIG over an NSEC3 record that doesn't validate against ZSK 33834. Every validating resolver therefore refuses to answer.
Intermittency fits anycast: some [a-n].nic.de instances still serve the previous (good) signatures, so retries occasionally land on a healthy auth. Per DENIC's FAQ the .de ZSK rotates every 5 weeks via pre-publish, so this smells like a botched rollover.
Aldipower - 49046 sekunder sedan
Apparently the DENIC team was on a party this evening! Party hard, but not too hard. https://bsky.app/profile/denic.de/post/3ml4r2lvcjg2h
tom1337 - 46123 sekunder sedan
Cloudflare has now disabled DNSSEC validation on their 1.1.1.1 resolver: https://www.cloudflarestatus.com/incidents/vjrk8c8w37lz
pocksuppet - 51910 sekunder sedan
I must be early. There's not a single tptacek DNSSEC rant in this thread yet.
sundiver - 54123 sekunder sedan
Yes, all .de domains down because of DNSSEC failure at Denic https://dnsviz.net/d/de/dnssec/
siva7 - 51274 sekunder sedan
Crazy. I can't remember an incident like this ever happened before and it's still not fixed? .de is probably the most important unrestricted domain after .com from an economical perspective. Millions of businesses are "down".
chromehearts - 53006 sekunder sedan
I was STRESSING tf out because I wasn't able to connect to my services & apps through my domains like at all .. they only work when using my phone data ? .. thank god it's not my fault this time
tom1337 - 49770 sekunder sedan
I have never used DNSSEC and never really bothered implementing it, but do I understand it correctly that we took the decentralized platform DNS was and added a single-point-of-failure certificate layer on top of it which now breaks because the central organisation managing this certificate has an outage taking basically all domains with them?
sunaookami - 53040 sekunder sedan
https://status.denic.de/ says "Partial Service Disruption" for DNS Nameservice now.
EDIT: it says "Service Disruption" now
kuerbel - 53085 sekunder sedan
I just spent the better half of an hour to debug unbound and the pihole because I thought it's a me problem...
Good news though, if you add domain-insecure: "de" to your unbound config everything works fine
__michaelg - 53071 sekunder sedan
Finally establishing the concept of Feiertag on the internet. Come back tomorrow.
1vuio0pswjnm7 - 53273 sekunder sedan
.de TLD is online. DNS working fine
DNSSEC not working
If using an open resolver, i.e., a shared DNS cache, e.g., third party DNS service such as Google, Cloudflare, etc., then it might fail, or it might not. It depends on the third party DNS provider
https://datatracker.ietf.org/meeting/118/materials/slides-11...
SEJeff - 44556 sekunder sedan
Just gonna leave this absolute gem from Thomas Ptacek on DNSSEC here:
https://sockpuppet.org/blog/2015/01/15/against-dnssec/
iknowstuff - 53524 sekunder sedan
Kurzgesagt predicted this, Germany is OVER
kaltsturm - 48939 sekunder sedan
Denic will be added to the "Major DNSSEC Outages and Validation Failures" list: https://ianix.com/pub/dnssec-outages.html
yassiniz - 48682 sekunder sedan
Shops open normally from 8am to 8pm in Germany. Today we decided to pilot opening hours for .de domains as well
aboardRat4 - 41927 sekunder sedan
https://ianix.com/pub/dnssec-outages.html
basilikum - 42609 sekunder sedan
This is the kind of system failure that we need really good and well tested disaster recovery plans for. While not necessary this time, DENIC and any critical infrastructure provider should be able to rebuild their entire infrastructure from scratch in a tolerable amount of time (Rather days than hours in the case of a full rebuild). Importantly the disaster recovery plan has to work without reliance on either the system that is failing, but also on adjacent systems that might have hidden dependencies on the failing system.
I'm really not too close to Denic and know nothing about their internals, but just close enough to have experienced the stress of someone working for DENIC second hand during the outage. From the very limited information I happened to gather DENIC had some trouble in addressing the issue because, surprise, infrastructure that they need to do so runs on de domains. [1]
I'm convinced there are all kinds of extended cyclic decencies between different centralization points in the net.
If some important backbone of the internet is down for an extended time, this will absolutely cause cascading failures. And thesw central points of failure are only getting worse. I love Let's Encrypt, but if something causes them to hard fail things will go really bad once certificates start to expire.
We need concrete plans to cold start extended parts of the internet. If things go really bad once and communication lines start to fail, we're in for a bad time.
Maybe governments have redundant, ultra resistant, low tech communication lines, war rooms and a list of important people in the industry who they can find and put in these war rooms so they can coordinate the rebuild of infrastructure. But I doubt it.
[^1] I don't know if there is some kind of disaster plan in the drawer at DENIC that would address this. I don't mean to allege anything against DENIC specifically, but broadly speaking about companies and infrastructure providers, I would not be surprised if there was absolutely no plan on what to do if things really go down and how to cold start cyclic dependencies or where they even are.
edb_123 - 47262 sekunder sedan
Things seem to be on their way up now, and https://status.denic.de/ is working again, at least from here.
DENIC's status page currently says "Frankfurt am Main, 5 May 2026 – DENIC eG is currently experiencing a disruption in its DNS service for .de domains. As a result, all DNSSEC-signed .de domains are currently affected in their reachability. The root cause of the disruption has not yet been fully identified. DENIC’s technical teams are working intensively on analysis and on restoring stable operations as quickly as possible.
nfreising - 49296 sekunder sedan
They can join the (rather long) list of TLD DNSSEC outages https://ianix.com/pub/dnssec-outages.html
elevation - 51860 sekunder sedan
I've considered hard-coding some addresses into firmware as a fallback for a DNS outtage (which is more likely than not just misconfigured local DNS.) Events like this help justify this approach to the unconcerned.
alper - 7933 sekunder sedan
I'd expect political escalation for something like this but given that this is Germany, who knows.
kangalioo - 54799 sekunder sedan
So glad I found someone mention this. Amazon.de, SPIEGEL.de is down. Highly prominent sites unreachable. I wonder how long this will last and how big of a thing this ends up being once people talk about it :o Feels big to me
yowmamasita - 48704 sekunder sedan
The same day Kurzgesagt posted their video “Germany is over”. Huh. https://youtu.be/n-gYFcVx-8Y
Zopieux - 45265 sekunder sedan
That postmortem should be a fun read, can't wait.
kaltsturm - 52391 sekunder sedan
https://dnsviz.net/d/spiegel.de/dnssec/
yes indeed
merb - 53518 sekunder sedan
Well at least it’s night time which means it’s hopefully resolved in the morning.
Looks like it failed after a maintenance: https://www.namecheap.com/status-updates/planned-denic-de-re...
https://status.denic.de/
taf2 - 46274 sekunder sedan
ok i picked a bad day to move from one register to another... i just spent the last hour frantically trying to figure out why the new register screwed us or the old register was screwing us...
dwedge - 51603 sekunder sedan
On a slightly unrelated note, I was setting nameservers for two .de domains a few weeks ago and thought my provider was being crazily strict because they kept getting rejected. Turns out you can't point to a nameserver until that nameserver has a zone for the domain, and you can't use nameservers from two providers unless those two providers are both in the NS records at both ends
- 54756 sekunder sedan
hmilch99 - 54696 sekunder sedan
https://pastebin.com/2mQUB8xX seems like someone's going to have a lot of fun tonight
nuil - 54510 sekunder sedan
Looks Like a DNSSEC error:
https://dnssec-analyzer.verisignlabs.com/nic.de
adamas - 12779 sekunder sedan
I wasn't even aware that was possible..?
kaltsturm - 49192 sekunder sedan
Denic should work out a desaster recovery test - like: https://blog.apnic.net/2022/02/14/disaster-recovery-with-dns...
0x80h - 49493 sekunder sedan
Am I reading this correctly? All .de domains are down? Looking forward to reading the postmortem.
g4cg54g54 - 49927 sekunder sedan
funfact: enabling DNS sec NOW will fix your domain instantly if dnssec was disabled before
-> no idea if that also "heals" anyone who had dnssec on before.
-> no idea if maybe they need to roll back something and then rebreak the new dnssec i made a minute later lol...
0xbadcafebee - 24620 sekunder sedan
I can't wait for the .com TLD outage. Ya'll thought Cloudflare down was bad? Lol
baby - 24130 sekunder sedan
Should I do my usual rent about how the web PKI refuses to move to a consensus protocol
edo888 - 49291 sekunder sedan
https://community.letsencrypt.org/t/issues-getting-certifica...
warpspin - 55215 sekunder sedan
Whole .de TLD seems to go offline right now due to dnssec or missing nic.de nameservers?
yosamino - 52422 sekunder sedan
The last time .de I remember .de had a major outage like this was 2010. I would cite some sources but... you know. That was a fun afternoon, though.
I am very happy that it doesn't happen more often.
Oarch - 47669 sekunder sedan
Germany has fallen.
jamietanna - 53935 sekunder sedan
Was wondering why a few of my sites aren't CSSing, as they use https://classless.de
victorbjorklund - 52983 sekunder sedan
I was just wondering what was up with our .de site.
kaltsturm - 52179 sekunder sedan
even their own status page is not reachable: https://status.denic.de/
As fallback they should use their X account: https://x.com/denic_de
- 49841 sekunder sedan
lxgr - 53133 sekunder sedan
Wow, I thought I was somehow unaffected but my resolver must just have cached the sites I'd tried.
- 43858 sekunder sedan
kaltsturm - 47811 sekunder sedan
from my analysis DENIC resigned the .de zone today (May 5, 2026, ~17:49 UTC). The DNSSEC signature (RRSIG) for the NSEC3 record covering the hash range of nearly all .de TLD is cryptographically broken (malformed).
binghatch - 54368 sekunder sedan
Wow… it’s definitely not all .de TLDs, but a lot of prominent ones definitely.
tarruda - 52014 sekunder sedan
Mailbox.org (also from Germany) seems to be experiencing issues too.
jdthedisciple - 19133 sekunder sedan
Seems up again. How briefly did the outage last?
jiveturkey - 47067 sekunder sedan
It’s not DNS
There’s no way it’s DNS
It was DNSSEC
bflesch - 48467 sekunder sedan
On Monday there was a huge outage affecting several cities quite close to Frankfurt because someone cut major fiber line; today DENIC is having a party and right when everyone is drunk this happens because some post-rotation task cannot be completed.
There are too many coincidences happening.
kaltsturm - 47668 sekunder sedan
With chrome it works again
whalesalad - 50497 sekunder sedan
You can visually see this anomaly in many of CF Radar's charts: https://radar.cloudflare.com/dns/de?dateRange=1d
NooneAtAll3 - 42152 sekunder sedan
quad9 seems to be having problems with DNSSEC as well
Animux - 47705 sekunder sedan
Seems to be fixed now.
dark-star - 52306 sekunder sedan
How come I have zero problems with any .de domain I tried accessing in the last half hour?
jiggawatts - 52903 sekunder sedan
I work with a few people specialised in IT security, and some of them take their jobs too seriously and will "lock down" everything to the point that it becomes a very real risk that they lock out everyone including themselves.
Fundamentally, security is a solution to an availability problem: The desire of the users is for a system to remain available despite external attack.
Systems that become unavailable to everyone fail this requirement.
A door with its keyhole welded shut is not "secure", it's broken.
sanbaideng - 49166 sekunder sedan
aiimageupscaler
siginator - 51850 sekunder sedan
how is that possible?
pogii123 - 53942 sekunder sedan
For me bmw.de works but www.bmw.de not
neverrroot - 47891 sekunder sedan
[flagged]
- 54585 sekunder sedan
evan0721 - 27712 sekunder sedan
[dead]
blmaniac - 53211 sekunder sedan
[dead]
siginator - 51764 sekunder sedan
[dead]
lpcvoid - 53832 sekunder sedan
[dead]
amelius - 46205 sekunder sedan
Maybe related to this? Crazy idea, but nothing surprises me anymore.
https://edition.cnn.com/2026/05/01/politics/us-troop-withdra...