German DNS failure leaves .de domains inaccessible worldwide
German Domínios with .de extension began to become inaccessible from 9:50 pm on May 5th. The issue affected any attempt to resolve .de zone addresses through DNS servers that validate DNSSEC, preventing access to sites like heise.de and Deutsche Bahn. The flaw affected users globally, regardless of their chosen DNS provider.
The root cause was a malformed digital signature. Registros RRSIG that contain digital signatures to confirm authenticity of DNS responses had validation errors. The problem specifically affected the SOA record (Start of Authority) in the .de zone, which was signed invalidly, according to analysis by diagnostic tools such as dig and dnsviz.
Validating DNSSEC caused cascading blocking
Servidores DNS that implement strict DNSSEC validation rejected any queries for .de domains. Google (8.8.8.8), Cloudflare (1.1.1.1) and internet service providers returned NXDOMAIN message indicating that the domain does not exist even for legitimate and functional websites. Trocar DNS server in the router or computer configuration did not resolve the issue while DNSSEC validation remained active.
The symptoms were immediate:
- Trip Aplicativos crashing (like Deutsche Bahn’s)
- Navegadores displaying error messages when trying to access .de sites
- Email Clientes unable to resolve German mail servers
- Impossibilidade connection to any DNSSEC validated .de domain
DENIC, the entity responsible for the registration and administration of .de domains, published a notice of “Parcial interruption of Serviço” on its status website at 10:55 pm. Horas later revised the description, stating that all .de domains with a DNSSEC signature were experiencing issues — although later reports indicated that domains without DNSSEC were also impacted.
Emergency Solução through non-validating DNS
Durante period of unavailability, users found a workaround by configuring DNS servers that do not validate DNSSEC. Duas options stood out:
- Level 3: addresses 4.2.2.1 and 4.2.2.6
- Quad9: address 9.9.9.10
Este method restored immediate access to affected .de domains as it bypassed the strict validation that blocked them. Contudo, the solution required technical knowledge and access to the user’s network settings or router.
Leia Também
The absence of Neymar’s wedding ring in a New York club stirs social media during the Brazilian team’s break
Parachuting plane crash leaves eleven dead in northeastern France this Sunday
Financial analysis indicates that GTA 6 generated US$1 billion in the first hour of pre-sales
DENIC recovers area during dawn
The early morning of May 6th marked the recovery. DENIC renewed the signature of the .de zone, allowing DNSSEC validation to function correctly again. The resolution announcement arrived at 3:42 am, but specific details about the error and its trigger remained unavailable at that time.
Cloudflare, in turn, temporarily disabled DNS validation for .de domains as a protective measure, as Dane Knecht, the company’s CTO, communicated through the X platform. The procedure follows the protocol described in RFC 7646, which establishes standards for temporary deactivation of DNSSEC validation.
Economic and reputational Impacto
The outage hit Germany’s digital economy during critical hours. Empresas of travel, e-commerce, financial services and communications faced complete unavailability without prior notice. Usuários had no obvious solution — many were unaware of the existence of alternative DNS servers or the relationship between DNSSEC and their connectivity issues. Redes enterprises had to implement emergency changes to DNS configurations to maintain operations.
The incident exposed a critical vulnerability: absolute reliance on DNSSEC validation can become a single point of failure when zone configurations have errors. Unvalidated Domínios also suffered collateral impact, suggesting that the issue has propagated beyond the initial scope described by DENIC.
Investigação’s full explanation of the origin of the malformed signature was still ongoing in the days after the incident.
