DNSSEC disruption affecting .de domains – Resolved

Posted by warpspin 15 hours ago

DNSSEC disruption affecting .de domains – Resolved(status.denic.de)

678 points | 347 commentspage 2

__michaelg 14 hours ago|

Finally establishing the concept of Feiertag on the internet. Come back tomorrow.

throw1234567891 14 hours ago||

Internetfreie Dienstage, 21st century variant of Autofreie Sonntage.

9753268996433 14 hours ago||

Using this newfangled thingamabob on a silent holiday will result in the police kicking in your door the next morning.

sgbeal 5 hours ago||

> will result in the police kicking in your door the next morning

But not before 8am.

1vuio0pswjnm7 14 hours ago||

.de TLD is online. DNS working fine

DNSSEC not working

If using an open resolver, i.e., a shared DNS cache, e.g., third party DNS service such as Google, Cloudflare, etc., then it might fail, or it might not. It depends on the third party DNS provider

https://datatracker.ietf.org/meeting/118/materials/slides-11...

jeroenhd 5 hours ago|

DNS worked fine. The responses that the root DNS servers were sending were wrong.

It's the cryptographic version of that one time the same TLD told the world domains starting with certain letters didn't exist: https://www.theregister.com/2010/05/12/germany_top_level_dom...

SEJeff 12 hours ago||

Just gonna leave this absolute gem from Thomas Ptacek on DNSSEC here:

https://sockpuppet.org/blog/2015/01/15/against-dnssec/

betaby 12 hours ago|

Aged like a milk.

tptacek 12 hours ago||

Oh, yeah, I'm sure feeling chastened right now. You got me.

SAI_Peregrinus 11 hours ago|||

Parmigianino-Reggiano is aged milk, so I'm not sure what people have against aged milk. Aged milk can be great

sgc 11 hours ago|||

My poor fellow. You wrote about how something is a bad tool for a long list of serious reasons. Then it failed spectacularly because everybody decided to depend on it anyway - exactly what you were cautioning against. But somehow you have to respond to people who think you are the one who got it wrong! As a third party the whole affair gave me a good chuckle at least ;)

tptacek 10 hours ago||

Germany appears to depend on it. Virtually none of North America does. I'm pretty satisfied with how this whole thing shook out!

cyberax 9 hours ago||

You're wrong. Both .com and .net are signed (`dig RRSIG com.`), and if they screw up, then all the com/net zones will become inaccessible.

tptacek 9 hours ago|||

Virtually no zones under .com/.net are signed, which was the only point I was making. It has no adoption here.

profmonocle 3 hours ago|||

Even if example.com is unsigned, the delegation from .com to example.com will still be signed (including an attestation that example.com is unsigned). So lack of DNSSEC adoption by users of the TLD wouldn't save them here.

cyberax 7 hours ago|||

Sure. But that was not the issue with .de, it has about the same level of DNSSEC adoption as .com

DENIC screwed up the TLD itself, and .com/.net are just as susceptible.

theMMaI 6 hours ago|||

Sssshh, don't give Verisign any bad ideas!

iknowstuff 14 hours ago||

Kurzgesagt predicted this, Germany is OVER

irundebian 14 hours ago|

Danke Merkel

mschuster91 13 hours ago||

Not sure if serious or /s

Medicineguy 5 hours ago||

Almost certainly /s. "Danke Merkel" ("Thanks Merkel") was once a sincere criticism from conservatives regarding her policies (esp. during 2015 refugee crisis), but it quickly evolved into a sarcastic, deadpan joke used to blame her for literally anything that goes wrong in daily Germany - even years after she left. Interesting phenomenon...

nkydr0i0 3 hours ago|||

What about "Thanks Obama"[0]

[0] https://en.wikipedia.org/wiki/Thanks,_Obama

tommit 3 hours ago|||

It's our version of Thanks Obama.

yassiniz 13 hours ago||

Shops open normally from 8am to 8pm in Germany. Today we decided to pilot opening hours for .de domains as well

kaltsturm 13 hours ago||

Denic will be added to the "Major DNSSEC Outages and Validation Failures" list: https://ianix.com/pub/dnssec-outages.html

alper 2 hours ago||

I'd expect political escalation for something like this but given that this is Germany, who knows.

aboardRat4 11 hours ago||

https://ianix.com/pub/dnssec-outages.html

basilikum 11 hours ago||

This is the kind of system failure that we need really good and well tested disaster recovery plans for. While not necessary this time, DENIC and any critical infrastructure provider should be able to rebuild their entire infrastructure from scratch in a tolerable amount of time (Rather days than hours in the case of a full rebuild). Importantly the disaster recovery plan has to work without reliance on either the system that is failing, but also on adjacent systems that might have hidden dependencies on the failing system.

I'm really not too close to Denic and know nothing about their internals, but just close enough to have experienced the stress of someone working for DENIC second hand during the outage. From the very limited information I happened to gather DENIC had some trouble in addressing the issue because, surprise, infrastructure that they need to do so runs on de domains. [1]

I'm convinced there are all kinds of extended cyclic decencies between different centralization points in the net.

If some important backbone of the internet is down for an extended time, this will absolutely cause cascading failures. And thesw central points of failure are only getting worse. I love Let's Encrypt, but if something causes them to hard fail things will go really bad once certificates start to expire.

We need concrete plans to cold start extended parts of the internet. If things go really bad once and communication lines start to fail, we're in for a bad time.

Maybe governments have redundant, ultra resistant, low tech communication lines, war rooms and a list of important people in the industry who they can find and put in these war rooms so they can coordinate the rebuild of infrastructure. But I doubt it.

[^1] I don't know if there is some kind of disaster plan in the drawer at DENIC that would address this. I don't mean to allege anything against DENIC specifically, but broadly speaking about companies and infrastructure providers, I would not be surprised if there was absolutely no plan on what to do if things really go down and how to cold start cyclic dependencies or where they even are.

edb_123 13 hours ago|

Things seem to be on their way up now, and https://status.denic.de/ is working again, at least from here.

DENIC's status page currently says "Frankfurt am Main, 5 May 2026 – DENIC eG is currently experiencing a disruption in its DNS service for .de domains. As a result, all DNSSEC-signed .de domains are currently affected in their reachability. The root cause of the disruption has not yet been fully identified. DENIC’s technical teams are working intensively on analysis and on restoring stable operations as quickly as possible.

More comments...