Analysis of the DNS outage on 5 May 2026 for .de domains
11 hours ago
- #Incident
- #DNSSEC
- #DNS
- DNSSEC key rollover on 5 May 2026 led to non-validatable signatures, causing accessibility issues for .de domains for about three hours.
- A faulty code in in-house development caused three different key pairs for the same key tag, with only one public key stored, making only about a third of signatures validatable.
- The .de zone updates incrementally; validation tools detected anomalies but notifications weren't processed correctly, allowing a non-validatable zone to be published.
- Invalid signatures over NSEC3 records caused delegation information to be classified as bogus, affecting even unsigned child zones and second-level domains without DNSSEC.
- Some large resolver operators temporarily disabled validation for .de domains to mitigate user impact, and further details will be shared after analysis completion.