DNSSEC disruption affecting .de domains – Resolved

Posted by warpspin 16 hours ago

DNSSEC disruption affecting .de domains – Resolved(status.denic.de)

685 points | 355 commentspage 3

elevation 15 hours ago|

I've considered hard-coding some addresses into firmware as a fallback for a DNS outtage (which is more likely than not just misconfigured local DNS.) Events like this help justify this approach to the unconcerned.

whalesalad 15 hours ago|

The irony is that DNS is a global and distributed system meant to be resilient. It’s the DNSSEC layer on top in this case causing problems.

jeroenhd 6 hours ago|||

The global and distributed system relies on the system actually returning valid responses. If the root servers are broken, whether it's a problem with RRSIG records or A records, the TLD is broken.

If my domains' DNS servers start pointing at localhost, that doesn't mean DNS is a broken protocol.

cedilla 14 hours ago|||

denic is the single source of truth for zones under .de.

The only problem with DNSSEC here is that it's complex.

akerl_ 12 hours ago||

A complex thing where making a mistake makes your domains drop off the internet seems like a pretty big "only problem".

alper 3 hours ago||

I'd expect political escalation for something like this but given that this is Germany, who knows.

kangalioo 16 hours ago||

So glad I found someone mention this. Amazon.de, SPIEGEL.de is down. Highly prominent sites unreachable. I wonder how long this will last and how big of a thing this ends up being once people talk about it :o Feels big to me

moltar 16 hours ago||

Both examples open for me

irundebian 16 hours ago||

Some domains work, some not. I assume that working domains are cached.

balou23 15 hours ago|||

amazon.de, spiegel.de are down for me, too. heise.de works, but that might've been cached somewhere on my side.

yk 15 hours ago||

dig manages to dig out ips for heise.de and tagesschau.de but not spiegel.de amazon.de and google.de However, dig @8.8.8.8 has still amazon.de cached, unlike 1.1.1.1 so perhaps Google to the rescue?

[Edit] After playing around with it, google seems to have at least some pages cached. After setting dns to 8.8.8.8 amazon.de and spiegel.de work again, my blog does not.

theanonymousone 15 hours ago||

idealo.de, ebay.de, and spiegel.de are down, but amazon.de opens for me.

yowmamasita 14 hours ago||

The same day Kurzgesagt posted their video “Germany is over”. Huh. https://youtu.be/n-gYFcVx-8Y

cwassert 3 hours ago|

Kurzgesagt is once more highlighting the neoliberal solution: more growth.

Surely a wealth tax is not worth mentioning.

bwb 1 hour ago|||

I watched that video yesterday, their solution was to fix the pension funding problem :)

They made the point that more immigration / growth wouldn't help fix the core problem if they don't fix that asap.

Zopieux 13 hours ago||

That postmortem should be a fun read, can't wait.

retired 13 hours ago||

We shall transmit the postmortem to you via fax within 25 business days, ja.

Culonavirus 12 hours ago|||

Ok children, sit down and listen, uncle Culonavirus will tell you a story:

"It all began with the decommissioning of the last nuclear power plant, ..."

alper 3 hours ago||

Given how amateurish German IT operations is, there is no guarantee whatsoever there will be a post-mortem nor whether it then will make it out under 3-6 months with all the necessary approvals.

Tepix 2 hours ago||

Bla bla, always easy to rant...

https://blog.denic.de/denic-informiert-uber-die-behebung-der...

"Die Störung ist inzwischen behoben und alle Systeme laufen wieder stabil. Die genaue Ursache wird derzeit noch analysiert. Sobald belastbare Erkenntnisse vorliegen, wird DENIC diese transparent zur Verfügung stellen."

translation:

‘The disruption has now been resolved and all systems are running smoothly again. The exact cause is currently being investigated. As soon as reliable findings are available, DENIC will make them publicly available.’

kaltsturm 15 hours ago||

https://dnsviz.net/d/spiegel.de/dnssec/

yes indeed

merb 15 hours ago||

Well at least it’s night time which means it’s hopefully resolved in the morning.

Looks like it failed after a maintenance: https://www.namecheap.com/status-updates/planned-denic-de-re...

https://status.denic.de/

gpvos 14 hours ago|

If so, it still worked for several hours after the maintenance was completed.

taf2 13 hours ago||

ok i picked a bad day to move from one register to another... i just spent the last hour frantically trying to figure out why the new register screwed us or the old register was screwing us...

dwedge 15 hours ago||

On a slightly unrelated note, I was setting nameservers for two .de domains a few weeks ago and thought my provider was being crazily strict because they kept getting rejected. Turns out you can't point to a nameserver until that nameserver has a zone for the domain, and you can't use nameservers from two providers unless those two providers are both in the NS records at both ends

whalesalad 15 hours ago|

Common paint point with DNSSEC. It’s brutal in the domain industry because when you buy a name with DNSSEC enabled it oftentimes can’t be setup to resolve due to these sorts of issues. Typically seller needs to deactivate first.

More comments...