SYSTEM Cited by 1 source
DENIC¶
DENIC eG is the registry operator for the .de
country-code top-level domain (ccTLD) — the TLD for Germany and
one of the largest on the Internet. DENIC runs the authoritative
nameservers for the .de zone and operates the signing
infrastructure that produces DNSSEC signatures for every
delegation under .de.
The .de TLD is consistently among the most broadly queried
TLDs globally per Cloudflare Radar.
A failure at DENIC's altitude affects every domain under .de
simultaneously — see
concepts/tld-level-failure-blast-radius.
Role in the DNS hierarchy¶
DENIC is a parent-zone operator in DNSSEC's
chain of trust. The IANA root
zone's DS record for .de points at DENIC's Key Signing Key;
every .de child zone's authenticity derives from DENIC's ZSK
correctly signing the .de zone.
Known incidents¶
2026-05-05 — .de DNSSEC signature break¶
Start: ~19:30 UTC, 2026-05-05. Duration: multi-hour for validating resolvers; mitigated by ~22:17 UTC for 1.1.1.1 users via a Negative Trust Anchor equivalent, resolved upstream when DENIC fixed the zone.
Root cause (from DENIC's own post-incident note, quoted in the 2026-05-06 Cloudflare writeup):
"The outage is linked to a routine, scheduled key rollover. During this process, non-validatable signatures were generated and distributed. As a precautionary measure, future rollovers have been suspended until the exact technical causes have been identified." — DENIC (blog.denic.de)
What broke: DENIC published RRSIG records whose signatures
could not be verified against the zone's published DNSKEY
records. The DNSSEC spec requires validating resolvers to reject
unverifiable signatures and return SERVFAIL. Every such resolver
on the Internet (including Cloudflare's
systems/cloudflare-1-1-1-1-resolver|1.1.1.1) therefore
returned SERVFAIL for every fresh .de query — a canonical
instance of signing-key
rotation failing at the phase-3→phase-4 gate (activating a new
signing key before validators can verify against the published
DNSKEY).
Response from the DNS-resolver community: per the Cloudflare writeup, "resolver operators across the Internet independently applied Negative Trust Anchors within an hour", coordinated via the DNS-OARC Mattermost. RFC 7646 names TLD misconfiguration as "the primary use case" for NTAs — DENIC's incident was exactly that case.
Structural implication: "when a registry at the TLD level fails, every domain under that TLD is affected simultaneously, regardless of where it's hosted or which resolver is used. This isn't unique to DNSSEC; the same is true if a TLD's nameservers become unreachable."
Sources: sources/2026-05-06-cloudflare-when-dnssec-goes-wrong-de-tld-outage.
Seen in¶
- sources/2026-05-06-cloudflare-when-dnssec-goes-wrong-de-tld-outage
— canonical wiki instance of DENIC's role as
.de-TLD-registry and of the 2026-05-05 DNSSEC-rollover break as a TLD-level failure absorbed by downstream resolvers via NTAs - serve-stale.