DENIC published an invalid RRSIG over an NSEC3 record for the .de zone, causing DNSSEC validation failures across all .de domains.
Key Takeaways
Verisign DNSSEC Debugger confirms: RRSIG=33834 over nic.de DS RRset fails signature verification against ZSK 33834.
All four DENIC nameservers (ns1-ns4.denic.de/net) are unreachable; DNSKEY RRset for nic.de cannot be retrieved.
The .de zone DS records and DNSKEY chain up to root are intact; the break is a bad signature on an NSEC3 record.
Queries with DNSSEC validation disabled (dig +cd) resolve normally, confirming zone data is intact.
Hacker News Comment Review
Commenters confirm the root cause: a malformed RRSIG over an NSEC3 record published by DENIC causes every validating resolver to SERVFAIL on all .de names.
The incident revived debate about DNSSEC’s operational risk: a single signing mistake at one registry takes down millions of domains, with no DNS-layer workaround for validating resolvers.
Recovery is bounded by cache TTLs; a fix published before morning local time should limit business impact, but the fragility is flagged as a political and infrastructure risk at TLD scale.
Notable Comments
@krystofbe: Pinpoints exact bad record: RRSIG over a0d5d1p51kijsevll74k523htmq406bk.de/nsec3 with keytag=33834 fails; dig +cd and direct authoritative queries both resolve fine.
@tom1337: “we took the decentralized platform DNS was and added a single-point-of-failure certificate layer on top of it” – sharp framing of the DNSSEC centralization tradeoff.
