Germany's .de TLD reportedly disrupted by DNSSEC chain-of-trust failure

Germany’s national top-level domain experienced a resolution outage tied to DNSSEC validation. Verisign Labs’ DNSSEC analyzer output shows the chain-of-trust traversal from the root through the .de zone, where authoritative servers (a.nic.de, f.nic.de, z.nic.de, and the de.net set) returned DNSKEY and DS records but validators flagged a break in signature verification for child zones, causing resolvers enforcing DNSSEC to refuse answers for nic.de and other .de names.

The trace confirms the root-to-.de DS record (keytag 26755, RSASHA256) and the .de KSK/ZSK pair are present and the RRSIG on the DS validates, so the failure point is downstream — likely a stale, missing, or misaligned signature on a delegation or zone signed by DENIC. For DNSSEC-strict resolvers, any verification failure converts NOERROR responses into SERVFAIL, which from a user’s perspective looks like the entire TLD is offline even though the nameservers are answering.

The incident is a reminder that DNSSEC trades silent tampering risk for hard-fail availability risk: a single key rollover or signing pipeline glitch at a registry can knock an entire country-code namespace off the validated internet, while resolvers with validation disabled continue to resolve normally.