.de TLD offline due to DNSSEC?

warpspin

Whole .de TLD seems to go offline right now due to dnssec or missing nic.de nameservers?

kangalioo

So glad I found someone mention this. Amazon.de, SPIEGEL.de is down. Highly prominent sites unreachable. I wonder how long this will last and how big of a thing this ends up being once people talk about it :o Feels big to me

hmilch99

https://pastebin.com/2mQUB8xX seems like someone's going to have a lot of fun tonight

krystofbe

Looks like a DNSSEC issue, not a nameserver outage. Validating resolvers SERVFAIL on every .de name with EDE: RRSIG with malformed signature found for a0d5d1p51kijsevll74k523htmq406bk.de/nsec3 (keytag=33834) dig +cd amazon.de @8.8.8.8 works, dig amazon.de @a.nic.de works. Zone data is intact, DENIC just published an RRSIG over an NSEC3 record that doesn't validate against ZSK 33834. Every validating resolver therefore refuses to answer. Intermittency fits anycast: some [a-n].nic.de instances still serve the previous (good) signatures, so retries occasionally land on a healthy auth. Per DENIC's FAQ the .de ZSK rotates every 5 weeks via pre-publish, so this smells like a botched rollover.

nuil

Looks Like a DNSSEC error: https://dnssec-analyzer.verisignlabs.com/nic.de

binghatch

Wow… it’s definitely not all .de TLDs, but a lot of prominent ones definitely.

sundiver

Yes, all .de domains down because of DNSSEC failure at Denic https://dnsviz.net/d/de/dnssec/

pogii123

For me bmw.de works but www.bmw.de not

jamietanna

Was wondering why a few of my sites aren't CSSing, as they use https://classless.de

iknowstuff

Kurzgesagt predicted this, Germany is OVER

merb

Well at least it’s night time which means it’s hopefully resolved in the morning. Looks like it failed after a maintenance: https://www.namecheap.com/status-updates/planned-denic-de-re... https://status.denic.de/

1vuio0pswjnm7

.de TLD is online. DNS working fine DNSSEC not working If using an open resolver, i.e., a shared DNS cache, e.g., third party DNS service such as Google, Cloudflare, etc., then it might fail, or it might not. It depends on the third party DNS provider https://datatracker.ietf.org/meeting/118/materials/slides-11...

lxgr

Wow, I thought I was somehow unaffected but my resolver must just have cached the sites I'd tried.

kuerbel

I just spent the better half of an hour to debug unbound and the pihole because I thought it's a me problem... Good news though, if you add domain-insecure: "de" to your unbound config everything works fine

__michaelg

Finally establishing the concept of Feiertag on the internet. Come back tomorrow.

sunaookami

https://status.denic.de/ says "Partial Service Disruption" for DNS Nameservice now. EDIT: it says "Service Disruption" now

chromehearts

I was STRESSING tf out because I wasn't able to connect to my services & apps through my domains like at all .. they only work when using my phone data ? .. thank god it's not my fault this time

victorbjorklund

I was just wondering what was up with our .de site.

jiggawatts

I work with a few people specialised in IT security, and some of them take their jobs too seriously and will "lock down" everything to the point that it becomes a very real risk that they lock out everyone including themselves. Fundamentally, security is a solution to an availability problem: The desire of the users is for a system to remain available despite external attack. Systems that become unavailable to everyone fail this requirement. A door with its keyhole welded shut is not "secure", it's broken.

yosamino

The last time .de I remember .de had a major outage like this was 2010. I would cite some sources but... you know. That was a fun afternoon, though. I am very happy that it doesn't happen more often.