Broken DNSSEC Signatures Took Down Millions of .de Domains
On May 5, 2026, at roughly 19:30 UTC, something went wrong inside Germany’s internet infrastructure. DENIC, the registry operator for Germany’s .de country-code top-level domain, published broken DNSSEC signatures for the entire .de zone. The result was a DNSSEC .de TLD outage that made millions of German websites unreachable.
The .de domain is one of the largest on the internet. According to Cloudflare Radar, it consistently ranks among the most queried top-level domains worldwide. So when its cryptographic signatures broke, the ripple effect was enormous.
DNSSEC Domain Name System Security Extensions, works by attaching digital signatures to DNS records. These signatures let resolvers confirm that records have not been tampered with. When the signatures are valid, everything works silently. When they’re not, validating resolvers are required to reject the records and return a SERVFAIL error to the user. That is exactly what happened.
Cloudflare’s public DNS resolver, 1.1.1.1, saw an immediate spike in SERVFAIL responses at 19:30 UTC. However, the failure didn’t peak instantly. Instead, it grew steadily over the next three hours as cached records across resolvers expired one by one. Each time a resolver went back to DENIC for a fresh record, it returned with broken signatures, and another domain went dark.
DENIC’s error stemmed from a scheduled key rollover. During this process, two types of cryptographic keys are involved: a Zone Signing Key (ZSK) and a Key Signing Key (KSK). Rotating a KSK is especially delicate. The parent zone’s DS record must also be updated, and any timing mismatch can leave resolvers with signatures they simply cannot verify. That mismatch is what caused the DNSSEC .de TLD outage to cascade across millions of domains.
One thing kept the damage from being even worse: a feature called “serve stale.” Cloudflare’s 1.1.1.1 implements RFC 8767, which allows resolvers to keep serving expired cached records when upstream resolution fails. In practice, this means users whose .de records were still in cache continued getting successful responses, even as fresh queries returned SERVFAIL. The NOERROR rate on 1.1.1.1 stayed relatively stable throughout much of the incident because of this protection.
Still, serve stale could only hold the line for so long. Cloudflare also moved to apply a Negative Trust Anchor (NTA) as defined in RFC 7646. An NTA tells a validating resolver to treat a specific zone as if it were unsigned, effectively bypassing DNSSEC validation for names under that zone. Cloudflare’s internal resolver system, known as Big Pineapple, does not yet have a native NTA mechanism. Therefore, engineers applied an existing override rule to mark .de as an insecure zone, achieving the same result.
This was a deliberate tradeoff. Bypassing DNSSEC validation temporarily exposed .de domains to potential spoofing attacks. Nevertheless, Cloudflare judged that acceptable given the circumstances. The signing failure was widespread, publicly confirmed, and equally affecting every validating resolver on the internet. As engineers put it internally: “There is no user of 1.1.1.1 resolving a .de name right now who would prefer a SERVFAIL over an unvalidated response.”
Cloudflare rolled out the mitigation at 22:17 UTC, ending the impact on 1.1.1.1 users. The team also coordinated with fellow DNS operators via the DNS-OARC Mattermost community chat, underscoring the importance of open communication channels when critical infrastructure fails.
Additionally, engineers noted a bug in how 1.1.1.1 reports DNSSEC errors. During the DNSSEC .de TLD outage, 1.1.1.1 returned Extended DNS Error code 22 (“No Reachable Authority”), rather than the more informative code 6 (“DNSSEC Bogus”) defined in RFC 8914. This obscured the true cause of the failure. Cloudflare confirmed it will fix this in a future update.
For its part, DENIC has published a brief statement confirming the incident. The registry said the outage was linked to a routine, scheduled key rollover, during which non-validatable signatures were generated and distributed. As a precautionary measure, all future rollovers have been suspended until the root cause is fully identified.
This incident is a clear reminder of how DNS hierarchy works, and how it fails. When a top-level domain registry breaks, every domain beneath it breaks too, regardless of where it is hosted. The industry’s best defense remains speed of response, open communication, and technical safeguards like serve stale and Negative Trust Anchors.
