Massive DNSSEC Disruption Affects “DE” Domains in Germany
There was a massive failure in the “DE” domain zone used in Germany. Problems occurred due to an error in setting up DNSSEC for the root zone “DE” made by the organization DENIC, responsible for the first-level domain “DE”. From May 5 22:30 to May 6 1:30 (MSK) an attempt to resolve domains in the “DE” zone through DNS servers that use DNSSEC to verify data validity failed. On DNS servers that use DNSSEC, a failure was also observed when resolving domains that do not directly use DNSSEC.
The problem affected many DNS resolvers of providers and public DNS services, such as 1.1.1.1 and 8.8.8.8. As a temporary measure, Cloudflare has disabled DNSSEC authentication for domains in the “DE” zone in its DNS service 1.1.1.1 . Users of DNS resolvers on which DNSSEC is disabled were not affected.
The reasons for the incident have not yet been officially announced. It is believed that the problem occurred due to an error when updating the digital signature for the “DE” zone, producedon May 5 at 20:49 (MSK). The key used to verify a first-level domain is the root of trust for the remaining keys used in second-level domains, and, in turn, uses the domain key “.” as a superior to confirm your trust.
As a result of the operation carried out in the “DE” domain zone, the cryptographic signature (RRSIG