It seems
-
It seems .de is having DNSSEC (and potentially other) issues because nic.de is having issues, which appears to host all their root nameservers. I wish the nic.de peoples much hugs and good luck.
I wonder what implications this has for other critical infra that may now suddenly be getting DNS failures. I hope it doesn't cascade.
It really goes to show how fragile the internet is. which is scary given how much we've come to rely on it.
I think we need more backup infra. meshtastic/etc?
-
It seems .de is having DNSSEC (and potentially other) issues because nic.de is having issues, which appears to host all their root nameservers. I wish the nic.de peoples much hugs and good luck.
I wonder what implications this has for other critical infra that may now suddenly be getting DNS failures. I hope it doesn't cascade.
It really goes to show how fragile the internet is. which is scary given how much we've come to rely on it.
I think we need more backup infra. meshtastic/etc?
note that from what I heard it *should* just be DNSSEC related issues, but as far as I can tell entire domains are down, like google.de and amazon.de are completely unreachable even for me.
edit: it makes sense for domains that use DNSSEC to not reply anything right now. All properly configured domains will have issues as such, whereas non-DNSSEC domains should still be fine (although some people reported issues there too- but I suspect they're all actually DNSSEC-enabled)
-
note that from what I heard it *should* just be DNSSEC related issues, but as far as I can tell entire domains are down, like google.de and amazon.de are completely unreachable even for me.
edit: it makes sense for domains that use DNSSEC to not reply anything right now. All properly configured domains will have issues as such, whereas non-DNSSEC domains should still be fine (although some people reported issues there too- but I suspect they're all actually DNSSEC-enabled)
text from status.denic.de (their official statuspage) is saying that they're still investigating and haven't fully identified the root cause yet.
-
note that from what I heard it *should* just be DNSSEC related issues, but as far as I can tell entire domains are down, like google.de and amazon.de are completely unreachable even for me.
edit: it makes sense for domains that use DNSSEC to not reply anything right now. All properly configured domains will have issues as such, whereas non-DNSSEC domains should still be fine (although some people reported issues there too- but I suspect they're all actually DNSSEC-enabled)
@anthropy It is just a DNSSEC thing. As far as I have debugged it on my setup every validating resolver (that is every DNS server that actually checks the DNSSEC stuff before replying to you) stumbles upon the broken stuff for .de and returns servfail instead.
-
@anthropy It is just a DNSSEC thing. As far as I have debugged it on my setup every validating resolver (that is every DNS server that actually checks the DNSSEC stuff before replying to you) stumbles upon the broken stuff for .de and returns servfail instead.
@sebastian yea I was actually about to update the message heh, it makes sense, though some people reported issues beyond dnssec domains, but I suspect those were just secretly actually dnssec-enabled
-
text from status.denic.de (their official statuspage) is saying that they're still investigating and haven't fully identified the root cause yet.
@anthropy This sounds ... very bad... I thought they had to either rollback an update or deploy certs
-
@sebastian yea I was actually about to update the message heh, it makes sense, though some people reported issues beyond dnssec domains, but I suspect those were just secretly actually dnssec-enabled
@anthropy The resolver validates DNSSEC for all the zones in the chain.
So for www.sebastians-site.de it first checks .de then the zone sebastian-site and www is just a A record in that zone. sebastian-site does not have DNSSEC enabled. Never got around to figuring that out.
However the de zone pointing the validating resolver to the name server that has the sebastians-site zone, has it's DNSSEC messed up. So the resolver can not trust anything in the .de zone and stops there. -
text from status.denic.de (their official statuspage) is saying that they're still investigating and haven't fully identified the root cause yet.
@anthropy some intern who missed patching copyfail on one of the servers is sweating bullets right now.
-
text from status.denic.de (their official statuspage) is saying that they're still investigating and haven't fully identified the root cause yet.
did.. anyone ever hear what the root cause was of the denic root dns outage? they just kinda removed their status page and I can't find much more about it, it'd be interesting to know, even if I can imagine it's uncomfortable for them to share
-
R relay@relay.infosec.exchange shared this topic
-
did.. anyone ever hear what the root cause was of the denic root dns outage? they just kinda removed their status page and I can't find much more about it, it'd be interesting to know, even if I can imagine it's uncomfortable for them to share
@anthropy
So far they have this:
https://blog.denic.de/en/analysis-of-the-dns-outage-on-5-may-2026/ -
R relay@relay.mycrowd.ca shared this topic
