DNS Glitch Affects .de Domains: DENIC's Explanation

On May 5, the German internet hit a snag. Users trying to access .de websites got error messages, especially if their DNS servers were set to validate DNSSEC signatures. It took until early the next day to fix it. DENIC eG, the group handling these domains, has given an initial explanation.

DENIC's blog says their DNS uses Knot, an open-source server from CZ.NIC, the Czech domain management group. This setup, which they updated in April 2026, runs with custom software and Hardware Security Modules (HSMs).

The Key Collision

The trouble started on May 2 with a routine key swap. A new public key, ID 33834, went live three days before it was supposed to. A bug in their custom code made three key pairs with the same ID, but only one public key got out. This caused an error when the key was first used for SOA records, as only some of DENIC's nameservers had the right private key.

DENIC officials said the error came from a part of their software that wasn't fully tested, so it slipped through both test runs and parallel operations. Even with three monitoring tools, the alerts weren't handled properly.

Key rotation is routine, but this incident shows gaps in testing and validation.

Widespread Impact

At first, it looked like only domains with active DNSSEC were hit. But DENIC later said this wasn't true. The issue also affected NSEC3 records, key for cryptographic proof of non-existence in DNSSEC. Without valid NSEC3 entries, DNSSEC validation failed for all .de domains.

This incident shows why robust testing and monitoring systems are critical.

Context: DNS and Key Management

DNSSEC secures the Domain Name System, ensuring users reach the real site, not a fake one. But managing these keys is tricky, and errors can cause major disruptions, like the .de domain outage. This isn't a one-off; similar issues have happened with other top-level domains, like the .ru TLD in 2024.

How it Compares

Other TLD managers have faced similar problems. The .ru TLD incident also involved a key collision, showing that while the tech is solid, managing it needs careful attention.

What's Still Unclear

• Why the key collision only happened in production, not in testing.
• Details of the custom code and HSM remain undisclosed.
• DENIC hasn't outlined how they'll prevent this next time.

Lack of transparency in proprietary systems can slow down understanding and fixing these issues.

Why This Matters

This DNS glitch highlights vulnerabilities in domain management systems. As digital life becomes more integral, ensuring these systems are reliable and secure is crucial. The tech community, especially those in DNSSEC infrastructure, can learn from DENIC's full report. These incidents reinforce the need for rigorous testing and clear communication to prevent future issues.

This reminds us of the balance between tech innovation and the need for solid, reliable infrastructure.