88 comments

[ 5.2 ms ] story [ 72.3 ms ] thread
Whole .de TLD seems to go offline right now due to dnssec or missing nic.de nameservers?
So glad I found someone mention this. Amazon.de, SPIEGEL.de is down. Highly prominent sites unreachable. I wonder how long this will last and how big of a thing this ends up being once people talk about it :o Feels big to me
(comment deleted)
(comment deleted)
Looks like a DNSSEC issue, not a nameserver outage. Validating resolvers SERVFAIL on every .de name with EDE:

RRSIG with malformed signature found for a0d5d1p51kijsevll74k523htmq406bk.de/nsec3 (keytag=33834) dig +cd amazon.de @8.8.8.8 works, dig amazon.de @a.nic.de works. Zone data is intact, DENIC just published an RRSIG over an NSEC3 record that doesn't validate against ZSK 33834. Every validating resolver therefore refuses to answer.

Intermittency fits anycast: some [a-n].nic.de instances still serve the previous (good) signatures, so retries occasionally land on a healthy auth. Per DENIC's FAQ the .de ZSK rotates every 5 weeks via pre-publish, so this smells like a botched rollover.

Curious how this comment was originally marked as "dead" but is now on top

I saw it at bottom of thread and vouched for it. Usually when I "vouch" nothing happens

I always ignore the RRSIG lines in zone files. To me it's not "DNS data", it's cruft

But DNSSEC has its true believers. I'm just not one of them

Wow… it’s definitely not all .de TLDs, but a lot of prominent ones definitely.
For me bmw.de works but www.bmw.de not
Kurzgesagt predicted this, Germany is OVER
.de TLD is online. DNS working fine

DNSSEC not working

If using an open resolver, i.e., a shared DNS cache, e.g., third party DNS service such as Google, Cloudflare, etc., then it might fail, or it might not. It depends on the third party DNS provider

https://datatracker.ietf.org/meeting/118/materials/slides-11...

(comment deleted)
To me, a response from a "root DNS server", i.e., [a-m].root-servers.net, is not "wrong" if it contains the correct data that I'm requesting, e.g., domainnames and associated IP numbers

I'm never requesting RRSIGs as I do not use that data. For me, it's just cruft that now comes in the response

Wow, I thought I was somehow unaffected but my resolver must just have cached the sites I'd tried.
I just spent the better half of an hour to debug unbound and the pihole because I thought it's a me problem...

Good news though, if you add domain-insecure: "de" to your unbound config everything works fine

Finally establishing the concept of Feiertag on the internet. Come back tomorrow.
I was STRESSING tf out because I wasn't able to connect to my services & apps through my domains like at all .. they only work when using my phone data ? .. thank god it's not my fault this time
I work with a few people specialised in IT security, and some of them take their jobs too seriously and will "lock down" everything to the point that it becomes a very real risk that they lock out everyone including themselves.

Fundamentally, security is a solution to an availability problem: The desire of the users is for a system to remain available despite external attack.

Systems that become unavailable to everyone fail this requirement.

A door with its keyhole welded shut is not "secure", it's broken.

The last time .de I remember .de had a major outage like this was 2010. I would cite some sources but... you know. That was a fun afternoon, though.

I am very happy that it doesn't happen more often.