Millions of websites using the .de top-level domain (TLD) — Germany’s most popular domain extension — became unreachable due to a widespread DNSSEC validation failure. The outage, which began in the late afternoon in Germany, was traced back to DENIC, the registry responsible for managing .de domains.
According to DENIC’s official status page at the time, “DENIC eG is currently experiencing a disruption in its DNS service for .de domains. As a result, all DNSSEC-signed .de domains are currently affected in their reachability.” The registry acknowledged that the root cause was not yet fully identified and that its technical teams were working to restore service.
What Happened?
The outage was not due to a failure of the underlying DNS infrastructure, but rather a problem with DNSSEC (Domain Name System Security Extensions), the cryptographic layer designed to protect against DNS spoofing and cache poisoning. Specifically, validating resolvers began returning SERVFAIL errors for .de domains, indicating that the digital signatures on DNS records could not be verified.
Technical analysis from the community suggested that DENIC had published a new DNSSEC signature (RRSIG) for the .de zone that was malformed or invalid, causing validating resolvers to reject responses for all .de domains. Some users reported that domains still resolved when using non-validating resolvers or when DNSSEC validation was disabled.
Impact
The outage had a significant impact on German businesses and services, with major sites such as amazon.de, spiegel.de, and others becoming unreachable for many users. The problem was not universal — some users could still access .de sites, likely due to cached DNS records or the use of non-validating resolvers.
According to circleid “Millions of websites under Germany’s top-level domains, .de, went offline on Wednesday due to a technical error according to various sources.”
Response and Recovery
DENIC’s status page, which was itself unreachable for a time, later posted an update acknowledging the disruption and promising further information as the situation developed. As of the latest update, the issue was still under investigation, but early indications pointed to a problem during a routine DNSSEC key rollover or signing operation.
Lessons and Reactions
The incident has reignited the long-running debate about the complexity and operational risks of DNSSEC. While DNSSEC is intended to improve security, outages like this demonstrate how a single misconfiguration can have a catastrophic, nationwide impact.
Many in the IT community pointed out that while DNS is designed to be distributed and resilient, DNSSEC introduces new points of failure — especially when it comes to the central authorities responsible for signing TLDs.
Source: Goosed, Hacker News, circleid
