Executive TL;DR:
- The .de TLD is currently offline due to a DNSSEC issue.
- The problem is caused by a malformed signature in the zone data.
- Some users can bypass the issue by adding domain-insecure settings to their DNS config.
The Buzz Score
The Internet’s Verdict: 70% Hyped, 30% Skeptical
What’s Happening
The .de domain is experiencing a partial service disruption due to a DNSSEC failure. This means that many users are unable to access websites with .de domains.
According to DENIC, the .de zone data is intact, but the RRSIG over an NSEC3 record does not validate against the ZSK.
Looks like a DNSSEC issue, not a nameserver outage. Validating resolvers SERVFAIL on every .de name with EDE: RRSIG with malformed signature found for a0d5d1p51kijsevll74k523htmq406bk.de/nsec3 (keytag=33834)
User Reactions
Many users are frustrated by the outage, with some reporting that they are unable to access their services and apps.
I was STRESSING tf out because I wasn’t able to connect to my services & apps through my domains like at all .. they only work when using my phone data ? .. thank god it’s not my fault this time
However, some users have found a temporary workaround by adding domain-insecure settings to their DNS config.
I just spent the better half of an hour to debug unbound and the pihole because I thought it’s a me problem… Good news though, if you add domain-insecure: “de” to your unbound config everything works fine
Focus Keyword: DNSSEC failure
