Looks like a DNSSEC issue, not a nameserver outage. Validating resolvers SERVFAIL on every .de name with EDE:
RRSIG with malformed signature found for
a0d5d1p51kijsevll74k523htmq406bk.de/nsec3 (keytag=33834)
dig +cd amazon.de @8.8.8.8 works, dig amazon.de @a.nic.de works. Zone data is intact, DENIC just published an RRSIG over an NSEC3 record that doesn't validate against ZSK 33834. Every validating resolver therefore refuses to answer.
Intermittency fits anycast: some [a-n].nic.de instances still serve the previous (good) signatures, so retries occasionally land on a healthy auth. Per DENIC's FAQ the .de ZSK rotates every 5 weeks via pre-publish, so this smells like a botched rollover.
I have never used DNSSEC and never really bothered implementing it, but do I understand it correctly that we took the decentralized platform DNS was and added a single-point-of-failure certificate layer on top of it which now breaks because the central organisation managing this certificate has an outage taking basically all domains with them?
chromeheartsyesterday at 8:53 PM
I was STRESSING tf out because I wasn't able to connect to my services & apps through my domains like at all .. they only work when using my phone data ? .. thank god it's not my fault this time
siva7yesterday at 9:22 PM
Crazy. I can't remember an incident like this ever happened before and it's still not fixed? .de is probably the most important unrestricted domain after .com from an economical perspective. Millions of businesses are "down".
I just spent the better half of an hour to debug unbound and the pihole because I thought it's a me problem...
Good news though, if you add domain-insecure: "de" to your unbound config everything works fine
__michaelgyesterday at 8:52 PM
Finally establishing the concept of Feiertag on the internet. Come back tomorrow.
1vuio0pswjnm7yesterday at 8:48 PM
.de TLD is online. DNS working fine
DNSSEC not working
If using an open resolver, i.e., a shared DNS cache, e.g., third party DNS service such as Google, Cloudflare, etc., then it might fail, or it might not. It depends on the third party DNS provider
This is the kind of system failure that we need really good and well tested disaster recovery plans for. While not necessary this time, DENIC and any critical infrastructure provider should be able to rebuild their entire infrastructure from scratch in a tolerable amount of time (Rather days than hours in the case of a full rebuild). Importantly the disaster recovery plan has to work without reliance on either the system that is failing, but also on adjacent systems that might have hidden dependencies on the failing system.
I'm really not too close to Denic and know nothing about their internals, but just close enough to have experienced the stress of someone working for DENIC second hand during the outage. From the very limited information I happened to gather DENIC had some trouble in addressing the issue because, surprise, infrastructure that they need to do so runs on de domains. [1]
I'm convinced there are all kinds of extended cyclic decencies between different centralization points in the net.
If some important backbone of the internet is down for an extended time, this will absolutely cause cascading failures. And thesw central points of failure are only getting worse. I love Let's Encrypt, but if something causes them to hard fail things will go really bad once certificates start to expire.
We need concrete plans to cold start extended parts of the internet. If things go really bad once and communication lines start to fail, we're in for a bad time.
Maybe governments have redundant, ultra resistant, low tech communication lines, war rooms and a list of important people in the industry who they can find and put in these war rooms so they can coordinate the rebuild of infrastructure. But I doubt it.
[^1] I don't know if there is some kind of disaster plan in the drawer at DENIC that would address this. I don't mean to allege anything against DENIC specifically, but broadly speaking about companies and infrastructure providers, I would not be surprised if there was absolutely no plan on what to do if things really go down and how to cold start cyclic dependencies or where they even are.
edb_123yesterday at 10:29 PM
Things seem to be on their way up now, and https://status.denic.de/ is working again, at least from here.
DENIC's status page currently says "Frankfurt am Main, 5 May 2026 â DENIC eG is currently experiencing a disruption in its DNS service for .de domains. As a result, all DNSSEC-signed .de domains are currently affected in their reachability.
The root cause of the disruption has not yet been fully identified. DENICâs technical teams are working intensively on analysis and on restoring stable operations as quickly as possible.
alpertoday at 9:24 AM
I'd expect political escalation for something like this but given that this is Germany, who knows.
I've considered hard-coding some addresses into firmware as a fallback for a DNS outtage (which is more likely than not just misconfigured local DNS.) Events like this help justify this approach to the unconcerned.
kangaliooyesterday at 8:23 PM
So glad I found someone mention this. Amazon.de, SPIEGEL.de is down. Highly prominent sites unreachable. I wonder how long this will last and how big of a thing this ends up being once people talk about it :o Feels big to me
ok i picked a bad day to move from one register to another... i just spent the last hour frantically trying to figure out why the new register screwed us or the old register was screwing us...
dwedgeyesterday at 9:16 PM
On a slightly unrelated note, I was setting nameservers for two .de domains a few weeks ago and thought my provider was being crazily strict because they kept getting rejected. Turns out you can't point to a nameserver until that nameserver has a zone for the domain, and you can't use nameservers from two providers unless those two providers are both in the NS records at both ends
Wow, I thought I was somehow unaffected but my resolver must just have cached the sites I'd tried.
deletedyesterday at 11:25 PM
kaltsturmyesterday at 10:19 PM
from my analysis DENIC resigned the .de zone today (May 5, 2026, ~17:49 UTC). The DNSSEC signature (RRSIG) for the NSEC3 record covering the hash range of nearly all .de TLD is cryptographically broken (malformed).
binghatchyesterday at 8:30 PM
Wow⊠itâs definitely not all .de TLDs, but a lot of prominent ones definitely.
tarrudayesterday at 9:09 PM
Mailbox.org (also from Germany) seems to be experiencing issues too.
jdthediscipletoday at 6:17 AM
Seems up again. How briefly did the outage last?
jiveturkeyyesterday at 10:32 PM
Itâs not DNS
Thereâs no way itâs DNS
It was DNSSEC
bfleschyesterday at 10:09 PM
On Monday there was a huge outage affecting several cities quite close to Frankfurt because someone cut major fiber line; today DENIC is having a party and right when everyone is drunk this happens because some post-rotation task cannot be completed.
quad9 seems to be having problems with DNSSEC as well
Animuxyesterday at 10:21 PM
Seems to be fixed now.
dark-staryesterday at 9:05 PM
How come I have zero problems with any .de domain I tried accessing in the last half hour?
jiggawattsyesterday at 8:55 PM
I work with a few people specialised in IT security, and some of them take their jobs too seriously and will "lock down" everything to the point that it becomes a very real risk that they lock out everyone including themselves.
Fundamentally, security is a solution to an availability problem: The desire of the users is for a system to remain available despite external attack.
Systems that become unavailable to everyone fail this requirement.
A door with its keyhole welded shut is not "secure", it's broken.
sanbaidengyesterday at 9:57 PM
aiimageupscaler
siginatoryesterday at 9:12 PM
how is that possible?
pogii123yesterday at 8:37 PM
For me bmw.de works but www.bmw.de not
neverrrootyesterday at 10:18 PM
[flagged]
deletedyesterday at 8:27 PM
evan0721today at 3:54 AM
[dead]
blmaniacyesterday at 8:49 PM
[dead]
siginatoryesterday at 9:14 PM
[dead]
lpcvoidyesterday at 8:39 PM
[dead]
ameliusyesterday at 10:46 PM
Maybe related to this? Crazy idea, but nothing surprises me anymore.