https://thecodersblog.com/tag/dnssec/Recent content in DNSSEC on The Coders BlogHugoen-usWed, 06 May 2026 22:22:12 +0000https://thecodersblog.com/dnssec-incident-response-for-de-tld-2026/Wed, 06 May 2026 22:22:12 +0000https://thecodersblog.com/dnssec-incident-response-for-de-tld-2026/<p>Millions of .de domains vanished from the internet on May 5, 2026, not due to a sophisticated attack, but a seemingly routine DNSSEC key rotation gone awry. DENIC, the registry for Germany&rsquo;s country-code top-level domain, inadvertently published incorrect DNSSEC signatures, triggering widespread SERVFAIL errors on validating resolvers worldwide. For users of services like Cloudflare&rsquo;s 1.1.1.1, this meant the .de TLD effectively ceased to exist for several agonizing hours.</p> <h3 id="the-core-problem-broken-signatures-broken-resolution">The Core Problem: Broken Signatures, Broken Resolution</h3> <p>The incident stemmed from a faulty Zone Signing Key (ZSK) rotation. During this process, DENIC’s system introduced malformed RRSIG records for the .de zone. Specifically, the ZSK tag 33834 was found on an NSEC3 record, a configuration that, when combined with other factors in the validation chain, broke the cryptographic trust model. When a validating resolver queried for a .de domain, it received these flawed signatures, leading it to conclude the DNS data was untrustworthy and respond with SERVFAIL. This &ldquo;fail-closed&rdquo; nature of DNSSEC, while intended to prevent spoofing, directly translated operational errors into complete service unavailability.</p>https://thecodersblog.com/dnssec-disruption-affecting-de-domains-2026/Wed, 06 May 2026 17:00:05 +0000https://thecodersblog.com/dnssec-disruption-affecting-de-domains-2026/<p>Hundreds of thousands of .de domains suddenly became unreachable on May 5, 2026, not due to a massive denial-of-service attack or a widespread network failure, but a single misconfiguration in the Domain Name System Security Extensions (DNSSEC) implementation at DENIC eG, the registry for Germany&rsquo;s country-code top-level domain. For several hours, users relying on validating DNS resolvers encountered frustrating <code>SERVFAIL</code> errors, effectively rendering a significant portion of the German internet invisible. This incident serves as a stark, albeit temporary, reminder of the inherent complexities and critical fragility underlying our internet&rsquo;s security infrastructure.</p>https://thecodersblog.com/de-tld-dnssec-outage-analysis-2026/Wed, 06 May 2026 03:34:18 +0000https://thecodersblog.com/de-tld-dnssec-outage-analysis-2026/<p>The internet ground to a halt for legions of <code>.de</code> domain users around May 5, 2026. Not due to a widespread BGP incident or a distributed denial-of-service attack, but a self-inflicted wound emanating from the heart of Domain Name System Security Extensions (DNSSEC) implementation. A botched key rollover by DENIC, the registry for the <code>.de</code> top-level domain, effectively severed the chain of trust for millions of users relying on validating DNS resolvers.</p>