.de TLD offline due to DNSSEC?

https://dnssec-analyzer.verisignlabs.com/nic.de

301•warpspin•1h ago

Comments

warpspin•1h ago

Whole .de TLD seems to go offline right now due to dnssec or missing nic.de nameservers?

fweimer•1h ago

This works:

    $ unbound-host -t A www.denic.de
    www.denic.de has address 81.91.170.12

This does not:

    $ unbound-host -D -t A www.denic.de
    www.denic.de has address 81.91.170.12
    validation failure <www.denic.de. A IN>: signature crypto failed from 194.246.96.1 for DS denic.de. while building chain of trust

So it does seem DNSSEC-related.

EDIT My explanation was wrong, this is not how keytags work. The published keytag data is consistent:

    de. 3600 IN DNSKEY 256 3 8 AwEAAfRLmzuIXVf7x5A0+U7hke0dS+GEJG0EdPhnOthCCLhy0t0WqLyoXJOhnfsTJ8vQX5fd9qOJc9gyr3SWJZkXAhPm3yPSC7FWWHF70WZTKKM9CekmKdqwMwq6ZCjMSUcecCuSF4Sbt1MRszV7rFmfGVklA1l5UzNbqwD+Dr5vfcLn ;{id = 33834 (zsk), size = 1024b}
    de. 3600 IN DNSKEY 257 3 8 AwEAAbWUSd/QN9Ae543xzdiacY6qbjwtZ21QfmdgxRdm4Z7bjjHWy249uqxCyjjjoS4LDoRDKmj7ElffMKvTWKE1qFKu0p8TUy4wyhX0M+m5FUjvQ3CiZMi+qY7GSHA5B+Zd73cidmnTeb3e8lso6jEsXg05/VZ2AyAqWF6FexEIFxIqiwwLk4UP0BwZ17Ur3q1qx9VSbPMyHgQ9d6nHUN1EEJsTDA2v0vKumsUyp74ZanRZ/bB/6IzpaaZyr5BLF5pSCNdbRNjVmkwYD0993vm79LueyOeibsoHRc16jhALrIJou1PFjdq7YQsYN0KtqRiJtaAfPprDBREpeamPuW/MnW0= ;{id = 26755 (ksk), size = 2048b}
    de. 3600 IN DNSKEY 256 3 8 AwEAAbTe1PJi8EgIudNGb+KRTxBL2aCu5rXkZ+aIe/TC88pwRdrXYeXODp1ihZWFop5CrbWRBLrk/YUPBE8aBc6oJP+58dSkdMLYkjSkmvdvYx+zXnRLWlF2bapxvZxshATJDfGjGbCiWxKEOoyRx3UhICtHC+cUSddsEvzfacUcBb6n ;{id = 32911 (zsk), size = 1024b}
    de. 3600 IN RRSIG DNSKEY 8 1 3600 20260519030655 20260505013655 26755 de. ke56T5GZt/X6zMBAF+ouyCTnAd7RY7MsnDcfa9jyyOwSouRXhvzim/V13JDTMBAnpAHxWQXoruXrAZ6A6re5N+8Pp2utVkAEKTWs0r4UOLNKoZ2+zMwNplKjNNnY5PJIbHfa5myyziLiIsi//qDIgQEACFk+pZcHXrRdqRoXPCL3UtfaXjk3+duDQdlPnYsJys5UshjVpkALSMChW7J0anzr0sG+f9ytstBneymMwFYOUC3NqbejbLPZsXGPZBQKPAoVJuV5q3znopbcqrDFfjI7bmX3QPYNvOaiT1ElBfi2piJVpDzMaMAmm2jCmvrf5VeTOBccMroh8sBtDPsaEg== ;{id = 26755}

The signature on the SOA record still does not verify:

    de. 86400 IN SOA f.nic.de. dns-operations.denic.de. 1778014672 7200 7200 3600000 7200
    de. 86400 IN RRSIG SOA 8 1 86400 20260519205754 20260505192754 33834 de. aZoiAJ+PaHUDVSHNXfV/R26ZK3GpFB7ek2Z46VnZdmPEDaTww+a7PkiQ98W83xohUunXYSvQCMeGYfUre5UT76eBKThdxW2a6ImX9/x/oEzQ9x/69Y/NSeTckOv9m3HCLBOug01op1koiHOIAVEvonOmXEHHqo1P4sR/fNbcVg4= ;{id = 33834}

kaltsturm•41m ago

not all: https://www.heise.de/ works

warpspin•38m ago

Probably just a high TTL.

0123456789ABCDE•13m ago

can confirm, at least another 54k seconds from where i sit

edb_123•6m ago

Doesn't work here, at least not anymore. Every single .de domain I have tried doesn't resolve.

kangalioo•1h ago

So glad I found someone mention this. Amazon.de, SPIEGEL.de is down. Highly prominent sites unreachable. I wonder how long this will last and how big of a thing this ends up being once people talk about it :o Feels big to me

moltar•1h ago

Both examples open for me

irundebian•1h ago

Some domains work, some not. I assume that working domains are cached.

balou23•1h ago

amazon.de, spiegel.de are down for me, too. heise.de works, but that might've been cached somewhere on my side.

yk•47m ago

dig manages to dig out ips for heise.de and tagesschau.de but not spiegel.de amazon.de and google.de However, dig @8.8.8.8 has still amazon.de cached, unlike 1.1.1.1 so perhaps Google to the rescue?

[Edit] After playing around with it, google seems to have at least some pages cached. After setting dns to 8.8.8.8 amazon.de and spiegel.de work again, my blog does not.

theanonymousone•34m ago

idealo.de, ebay.de, and spiegel.de are down, but amazon.de opens for me.

hmilch99•1h ago

https://pastebin.com/2mQUB8xX seems like someone's going to have a lot of fun tonight

krystofbe•1h ago

Looks like a DNSSEC issue, not a nameserver outage. Validating resolvers SERVFAIL on every .de name with EDE:

RRSIG with malformed signature found for a0d5d1p51kijsevll74k523htmq406bk.de/nsec3 (keytag=33834) dig +cd amazon.de @8.8.8.8 works, dig amazon.de @a.nic.de works. Zone data is intact, DENIC just published an RRSIG over an NSEC3 record that doesn't validate against ZSK 33834. Every validating resolver therefore refuses to answer.

Intermittency fits anycast: some [a-n].nic.de instances still serve the previous (good) signatures, so retries occasionally land on a healthy auth. Per DENIC's FAQ the .de ZSK rotates every 5 weeks via pre-publish, so this smells like a botched rollover.

qazwsxedchac•3m ago

So a single configuration mistake in a single place wiped out external reachability of a major economy. It happened in the evening local time and should be fixable, modulo cache TTLs, by morning. This will limit the blast radius somewhat.

Still, at this level, brittle infrastructure is a political risk. The internet's famous "routing around damage" isn't quite working here. Sould make for an interesting post mortem.

nuil•1h ago

Looks Like a DNSSEC error:

https://dnssec-analyzer.verisignlabs.com/nic.de

binghatch•1h ago

Wow… it’s definitely not all .de TLDs, but a lot of prominent ones definitely.

phit_•1h ago

its gonna be all .de domains once caches dry out, anything that still works right now is bound to eventually fail until the underlying issue is resolved

fossdd•55m ago

Any .de domain with DNSSEC

meineerde•47m ago

Any .de domain is affected, regardless of the domain's dnssec deployment status, as long as you use a resolver which validates dnssec.

mrngm•23m ago

Unfortunately, even domains that did not have DNSSEC enabled earlier today are affected.

We observed issues on a non-DNSSEC .de domain at 19:45Z and confirmed around 20:12Z it wasn't just us, but also more high profile domain names.

eliaskg•29m ago

Amazon is completely down in Germany. Not only on amazon.de, even in the app.

sundiver•1h ago

Yes, all .de domains down because of DNSSEC failure at Denic https://dnsviz.net/d/de/dnssec/

taegee•1h ago

https://i.imgur.com/eAwdKEC.png

Edit: Alternative link: https://www.cyberciti.biz/media/new/cms/2017/04/dns.jpg

notpushkin•53m ago

  {"data":{"error":"Imgur is temporarily over capacity. Please try again later."},"success":false,"status":403}

There is some strange irony to this, I suppose.

yjftsjthsd-h•51m ago

In my experience, that error is a lie and is what you get if they've IP blocked you. (Easy to hit on a VPN, in particular)

itvision•43m ago

A protection against bad networks, including VPN.

It's been like that for over two years now.

ricardo81•38m ago

I get "content not viewable in your region", from the UK. Not an ideal image sharing website nowadays.

_ache_•19m ago

https://dns.kitchen/dns.mp4

Or: https://dns.kitchen/jingle

pogii123•1h ago

For me bmw.de works but www.bmw.de not

benny_s•57m ago

bmw.de is down for me too

MikeNotThePope•52m ago

Both domains page load for me from Amsterdam. I wonder if there's communication disruption. Undersea cable severed?

pogii123•52m ago

$ nslookup bmw.de ~ Server: 8.8.8.8 Address: 8.8.8.8#53

Non-authoritative answer: Name: bmw.de Address: 160.46.226.165

$ nslookup www.bmw.de ~ ;; Got SERVFAIL reply from 8.8.8.8, trying next server Server: 8.8.4.4 Address: 8.8.4.4#53

* server can't find www.bmw.de: SERVFAIL

dark-star•40m ago

You mean the big undersea cable between the Netherlands and Germany? ;-)

dark-star•39m ago

both work for me from inside Germany

jamietanna•1h ago

Was wondering why a few of my sites aren't CSSing, as they use https://classless.de

kaltsturm•42m ago

cache

iknowstuff•1h ago

Kurzgesagt predicted this, Germany is OVER

irundebian•51m ago

Danke Merkel

merb•1h ago

Well at least it’s night time which means it’s hopefully resolved in the morning.

Looks like it failed after a maintenance: https://www.namecheap.com/status-updates/planned-denic-de-re...

https://status.denic.de/

1vuio0pswjnm7•57m ago

.de TLD is online. DNS working fine

DNSSEC not working

If using an open resolver, i.e., a shared DNS cache, e.g., third party DNS service such as Google, Cloudflare, etc., then it might fail, or it might not. It depends on the third party DNS provider

https://datatracker.ietf.org/meeting/118/materials/slides-11...

lxgr•55m ago

Wow, I thought I was somehow unaffected but my resolver must just have cached the sites I'd tried.

kuerbel•54m ago

I just spent the better half of an hour to debug unbound and the pihole because I thought it's a me problem...

Good news though, if you add domain-insecure: "de" to your unbound config everything works fine

victorbjorklund•52m ago

Same haha

chromehearts•49m ago

SAMEEEEE !!!

Bender•41m ago

I don't even enable DNSSEC in Unbound. There just isn't enough adoption yet for me to feel like I am missing out on something, yet.

"Cloudflare Radar data shows 8.11% of domains are signed with DNSSEC, but only 0.47% of queries are validated end-to-end." [1]

Zones I may care about:

- Amazon.com: unsigned

- My banks: unsigned

- Hacker News: unsigned

- Email that I do not host: unsigned

- My power companies billing: unsigned

- I found some! id.me and irs.gov are signed.

[1] - https://technologychecker.io/blog/dnssec-adoption

__michaelg•54m ago

Finally establishing the concept of Feiertag on the internet. Come back tomorrow.

9753268996433•37m ago

Using this newfangled thingamabob on a silent holiday will result in the police kicking in your door the next morning.

throw1234567891•29m ago

Internetfreie Dienstage, 21st century variant of Autofreie Sonntage.

sunaookami•53m ago

https://status.denic.de/ says "Partial Service Disruption" for DNS Nameservice now.

EDIT: it says "Service Disruption" now

MASNeo•43m ago

At least they have some humor left.

Edit: Now even the humor is gone.

sunaookami•22m ago

Can only be topped when the status page is not reachable anymore :D

lschueller•10m ago

Or only accessible through a german dns server

niklasrde•5m ago

It says "Server Not Found" now

chromehearts•53m ago

I was STRESSING tf out because I wasn't able to connect to my services & apps through my domains like at all .. they only work when using my phone data ? .. thank god it's not my fault this time

Locke80•43m ago

But we're Germans, and we need someone to blame.

AndroTux•34m ago

I'm blaming chromehearts anyways

lschueller•17m ago

Thank god for the german chain of blame: 1. The system 2. The neighbor 3. China

warpspin•7m ago

You definitely forgot Merkel and Habeck.

Cockbrand•6m ago

Danke Merkel!!1!11!!

victorbjorklund•53m ago

I was just wondering what was up with our .de site.

jiggawatts•51m ago

I work with a few people specialised in IT security, and some of them take their jobs too seriously and will "lock down" everything to the point that it becomes a very real risk that they lock out everyone including themselves.

Fundamentally, security is a solution to an availability problem: The desire of the users is for a system to remain available despite external attack.

Systems that become unavailable to everyone fail this requirement.

A door with its keyhole welded shut is not "secure", it's broken.

QuantumNomad_•40m ago

Security is not just a solution to availability. It is also to keep sensitive data (PII, or business secrets, or passwords, or cryptographic private keys, and so on) away from the hands of bad actors.

If I’m unable to use Amazon for 24 hours it doesn’t really matter. If a photo copy of my passport is leaked that’s worries and potential troubles for years.

senkora•35m ago

Security = Confidentiality + Integrity + Availability

or alternatively,

Security = (exclude unauth'd reads) + (exclude unauth'd writes) + (include auth'd reads and auth'd writes)

Gotta satisfy all parts in order to have security.

jiggawatts•24m ago

If you squint at it, you can convert all three to just availability.

    Confidentiality = available to us, but nobody else.

    Integrity = available to us in a pristine condition.

It's a bit reductive, I'll admit, but it can be a useful exercise in the same way that everything in an economy can be reduce to units of either: "human time", "money" or "energy". Roughly speaking they're interchangeable.

E.g.: What's the benefit to you if your data is so confidential that you can't read it either? This is a real problem with some health information systems, where I can't access my own health records! Ditto with many government bureaucracies that keep my records safe and secure from me.

yosamino•43m ago

The last time .de I remember .de had a major outage like this was 2010. I would cite some sources but... you know. That was a fun afternoon, though.

I am very happy that it doesn't happen more often.

kaltsturm•43m ago

https://dnsviz.net/d/spiegel.de/dnssec/

yes indeed

dark-star•41m ago

How come I have zero problems with any .de domain I tried accessing in the last half hour?

pw6hv•39m ago

cache

AndroTux•37m ago

maybe your upstream doesn't validate DNSSEC?

dark-star•30m ago

maybe? I'm using PiHole and 8.8.8.8/1.1.1.1 as upstream, and both options show "DNSSEC" next to their options in settings, so I assumed DNSSEC was enabled (unless I have to enable this somewhere else as well?)

warpspin•24m ago

That's weird cause 8.8.8.8/1.1.1.1 will already answer with SERVFAIL right now, unless the domain is still in the cache.

kaltsturm•39m ago

even their own status page is not reachable: https://status.denic.de/

As fallback they should use their X account: https://x.com/denic_de

dgellow•17m ago

Seems to be up now?

May 5, 2026 23:28 CEST

May 5, 2026 21:28 UTC

INVESTIGATING

Frankfurt am Main, 5 May 2026 – DENIC eG is currently experiencing a disruption in its DNS service for .de domains. As a result, all DNSSEC-signed .de domains are currently affected in their reachability. The root cause of the disruption has not yet been fully identified. DENIC’s technical teams are working intensively on analysis and on restoring stable operations as quickly as possible. Based on current information, users and operators of .de domains may experience impairments in domain resolution. Further updates will be provided as soon as reliable findings on the cause and recovery are available. DENIC asks all affected parties for their understanding. For further enquiries, DENIC can be contacted via the usual channels.

elch•13m ago

All .de domains are down for me.

kaltsturm•12m ago

with firefox: KO with chrome: OK

sunaookami•4m ago

They did now! https://x.com/denic_de/status/2051779175908774148

tarruda•36m ago

Mailbox.org (also from Germany) seems to be experiencing issues too.

pocksuppet•35m ago

I must be early. There's not a single tptacek DNSSEC rant in this thread yet.

aberoham•32m ago

He’s busy with MathAcademy earning XP-SEC

mike-cardwell•24m ago

Perhaps he's moribund

0123456789ABCDE•8m ago

doesn't this event speak for itself though?

elevation•34m ago

I've considered hard-coding some addresses into firmware as a fallback for a DNS outtage (which is more likely than not just misconfigured local DNS.) Events like this help justify this approach to the unconcerned.

whalesalad•25m ago

The irony is that DNS is a global and distributed system meant to be resilient. It’s the DNSSEC layer on top in this case causing problems.

siginator•34m ago

how is that possible?

dwedge•30m ago

On a slightly unrelated note, I was setting nameservers for two .de domains a few weeks ago and thought my provider was being crazily strict because they kept getting rejected. Turns out you can't point to a nameserver until that nameserver has a zone for the domain, and you can't use nameservers from two providers unless those two providers are both in the NS records at both ends

whalesalad•27m ago

Common paint point with DNSSEC. It’s brutal in the domain industry because when you buy a name with DNSSEC enabled it oftentimes can’t be setup to resolve due to these sorts of issues. Typically seller needs to deactivate first.

siva7•24m ago

Crazy. I can't remember an incident like this ever happened before and it's still not fixed? .de is probably the most important unrestricted domain after .com from an economical perspective. Millions of businesses are "down".

lschueller•20m ago

It's Germany, pessimistic time estimation + 1/3 and you are in a realistic time frame for the issue being resolved.

warpspin•17m ago

It's night. Somebody has to fill a form to approve night work first.

snapetom•11m ago

Luckily it's not Sunday. Everyone would be out in the country hiking.

lschueller•6m ago

Or reading the latest prints about tax filings and how to conduct a compliance audit with pen and paper.

Culonavirus•3m ago

jeeze, imagine putin launching nukes on friday evening!

greyhound•5m ago

And send it by post for approval, which will take 5-30 business days.

9dev•2m ago

Oh come on, that’s not true. You could also fax it. That might come with an additional processing fee though.

Cockbrand•7m ago

In addition: it's Germany, pessimistic cost estimation + 2000%, and you are in a realistic budget for the issue being resolved.

lschueller•5m ago

:D... before tax!

rwmj•15m ago

I remember when .com went down, in July 1997.

https://archive.nytimes.com/www.nytimes.com/library/cyber/we...

AndroTux•6m ago

DENIC apparently resolved all .de domains to NXDOMAIN in 2010: https://www.theregister.com/2010/05/12/germany_top_level_dom...

whalesalad•11m ago

You can visually see this anomaly in many of CF Radar's charts: https://radar.cloudflare.com/dns/de?dateRange=1d

g4cg54g54•2m ago

funfact: enabling DNS sec NOW will fix your domain instantly if dnssec was disabled before

-> no idea if that also "heals" anyone who had dnssec on before.

-> no idea if maybe they need to roll back something and then rebreak the new dnssec i made a minute later lol...

Complete Guide: How to Integrate Beehiiv with Hugo via Cloudflare Workers

E.F. Schumacher: The Other Way (1975)

Span to launch distributed AI data centers for edge compute

A website ranking judges by elo for the cases they dismiss in SF

Sovereign AI: Control, Choice, and Why It Goes Beyond Geopolitics

Big-fish–little-pond effect

How the Emerging Indian Middle Handles Money

Bose Brings Back Its 'Lifestyle' Branding with New Speakers for the Home

Perplexity Computer for Professional Finance

Why did AI destroy my production database?

Apple Reaches $250M Settlement Over Claims It Misled People on A.I

UK's National Health Service to close-source 100+ repos over security concerns

Show HN: Keyterm Filtering for Voice AI

Tokenmaxxing: Brute-Forcing AGI by Scaling Usage

Artificial SUPER INTELLIGENCE Asolaria on a 16gb RAM stick

Apartments Are the Climate Solution Hiding in Plain Sight

RFK Jr. plans to curb antidepressants, which he falsely compares to heroin

Vibe coding or spec-driven development? How to choose

Models hallucinate more than you think

Write some software, give it away for free

A virtual copy of your brain? Scientists say it's closer than you think

Pragmatic Agent-Native Architecture

The Quest for Equivalent Exchange – Supporting Exchange in Thunderbird

Amplitude and Statsig Partnership

Show HN: Rocketship, the only AI app builder with built-in sales team

Software as the Product of Obsession Times Voice

Shalizi's frame of artificial intelligence as mechanized tradition

Stephen Hawking fan tests time travel with past party invites (2013)

How Americans Caught Gold Fever Again

AI and Temporal Arbitrage