Summary of the .de TLD DNSSEC Outage

On May 5, 2026, at 19:30 UTC, DENIC, the registry operator for the .de country-code top-level domain (TLD), started publishing incorrect DNSSEC signatures for the .de zone. This caused validating DNS resolvers, including Cloudflare's 1.1.1.1 public DNS resolver, to reject responses and return SERVFAIL to clients. The outage had significant implications for millions of domains under the .de TLD, making them unreachable.

Key Technical Details

• DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS, ensuring the integrity of DNS records.
• The .de TLD uses a chain of trust, starting at the root zone, to verify the authenticity of DNS records.
• The incorrect DNSSEC signatures published by DENIC caused validating resolvers to reject responses and return SERVFAIL.
• The outage was caused by a misconfiguration at the TLD level, which affected every domain under it.

Practical Implications for Developers

• The outage highlights the importance of DNSSEC and the need for accurate DNS record signing.
• Developers should ensure that their DNS records are properly signed and verified to prevent similar outages.
• The incident also demonstrates the importance of caching and record expiration in DNS, as cached records can cause continued failures even after the initial outage is resolved.

Timeline

• May 5, 2026, at 19:30 UTC: DENIC starts publishing incorrect DNSSEC signatures for the .de zone.
• 19:30-22:30 UTC: Validating resolvers, including 1.1.1.1, reject responses and return SERVFAIL.
• 22:30 UTC: Cached records start expiring, causing continued failures as resolvers go back to DENIC for fresh copies.