.de / tld / domain

Germany’s .de registry reported that a routine DNSSEC key rollover on 5 May 2026 generated and published non-validatable signatures, causing validating DNS resolvers to fail verification for .de domains for about three hours before service was fully restored overnight. The registry said its DNSSEC signing stack uses Knot plus in-house code with hardware security modules, and a third-generation system was deployed in April 2026 after testing and external audit. A faulty in-house change produced three different key pairs for the same key tag (33834), while only one public key was published in DNSKEY records, leaving roughly two-thirds of RRSIG records unverifiable. Monitoring detected the issue, but alerts were not handled correctly. Invalid NSEC3 signatures made delegations appear bogus, affecting even non-DNSSEC second-level domains.

DNSSEC disruption affecting .de domains

Germany’s domain registry DENIC experienced a DNS service disruption on May 5, 2026 that made DNSSEC-signed .de domains unreachable for roughly two hours; services were reported restored by 01:34 CEST on May 6. DENIC’s teams investigated the incident, noting the root cause was not immediately identified and promising further updates as analysis continued. The outage affected resolution of .de domains, potentially impacting websites, services and operators relying on DNSSEC for integrity and availability. The incident underscores risks around critical internet infrastructure and the importance of resilience, monitoring and incident communication from national registries.