Overview
- DNS for Germany’s .de zone, which failed late Tuesday around 10 p.m. local time, left many sites unreachable until shortly after 1 a.m.
- Analyses show an invalid DNSSEC signature on the zone’s SOA record linked to a new signing key (key tag 33834), and operators restored service by reverting to the previous key (32911).
- Users saw NXDOMAIN errors across providers because validating resolvers blocked bad signatures, so switching to Google Public DNS or Cloudflare did not help.
- DENIC reports systems are running normally and says it will publish findings from its investigation, with no confirmed sign of a malicious attack.
- DNSSEC adds cryptographic checks to stop tampering, but a bad registry‑level signature breaks lookups for millions of domains, a risk seen before with incidents in Sweden (.se, 2022) and Russia (.ru, 2024).