The DNSSEC Failure That Made .de Look Fake
The domains were still delegated. The nameservers still answered. But once DENIC published invalid DNSSEC signatures for .de, validating resolvers had to treat the answers as bogus and return SERVFAIL.
The domains were still delegated. The nameservers still answered. What broke was trust: once DENIC published invalid DNSSEC signatures for .de, validating resolvers had to treat those answers as bogus. For users behind resolvers that enforced DNSSEC, a working German domain could suddenly look indistinguishable from a forged one.
That is the uncomfortable bargain DNSSEC makes. It protects DNS by making resolvers prove that an answer follows the chain of trust from the root down through each parent zone. For .de domains, the .de registry sits directly in that chain. If the top-level domain publishes signatures that cannot be validated, the resolver cannot safely accept answers for names below it. The correct response is SERVFAIL.
The failure started around 19:30 UTC on May 5, 2026, according to Cloudflare. The first spike was immediate, but the outage spread in stages. Many .de answers were already cached inside recursive resolvers, and those continued working until their TTLs expired. As each cached answer aged out and the resolver fetched fresh data, it received broken signatures from the .de zone and began failing validation. Retries then inflated query volume, which made the graphs look worse than the number of distinct affected users.
Cloudflare's first cushion was serve stale. When upstream resolution failed, 1.1.1.1 could keep returning expired cached answers instead of immediately returning SERVFAIL. That preserved availability for names already in cache, but it could not help every lookup. New names, missing cache entries, and records without usable stale data still failed.
The stronger mitigation required a security tradeoff. Cloudflare's resolver did not have a native Negative Trust Anchor mechanism, so engineers used an existing override rule to mark .de as insecure. In practice, that told 1.1.1.1 to resolve .de as if DNSSEC were not enabled. Cloudflare rolled out the mitigation at 22:17 UTC, ending impact for 1.1.1.1 users while DENIC continued repairing the zone.
The hard part of this incident was not deciding whether DNSSEC mattered. It was deciding when a known-broken trust chain was providing no useful protection. Returning SERVFAIL preserved the strict security model. Temporarily bypassing validation restored access while accepting unvalidated answers. DNSSEC did not fail because validation rejected bad signatures; the operational gap was needing an exception path when a parent zone made every child domain look invalid.
There is no user of 1.1.1.1 resolving a .de name right now who would prefer a SERVFAIL over an unvalidated response.// Cloudflare internal incident room, quoted in Cloudflare's post
From the first signal to all-clear in 2h 47m.
A parent-zone signature failure broke validation below it.
DNSSEC makes DNS answers fail closed. A resolver checks more than whether a nameserver returned an answer; it also checks whether the signatures prove that answer belongs in the DNS chain of trust. For a .de domain, that chain runs through the .de top-level domain. When the parent zone's signatures became invalid, validating resolvers had to reject answers for domains below .de even when those individual domains had done nothing wrong.
DENIC later said the outage was linked to a routine scheduled key rollover. During that process, non-validatable signatures were generated and distributed. Cloudflare reports that at about 19:30 UTC on May 5, 2026, validating resolvers began receiving incorrect DNSSEC signatures for the .de zone. 1.1.1.1 followed the DNSSEC specification and returned SERVFAIL for records it could not validate.
Cloudflare had two layers of response. First, serve stale kept some cached .de answers working after their TTLs expired, which slowed the spread of visible failures. Then Cloudflare used an override rule to treat .de as an insecure zone, functionally similar to a Negative Trust Anchor. That restored resolution for 1.1.1.1 users, but only by temporarily accepting unvalidated .de answers while DENIC repaired the zone.