The German country-level top-level domain name (ccTLD) experienced a large-scale and long-term outage last night. This outage does not seem to be a failure of the root domain name server of the DE domain name, but an error in the signature of the DNSSEC encryption system used by the domain name. Due to the error in the signature itself, the entire DE domain name space was paralyzed.
After analysis, professionals found that this was a low-level configuration error by DENIC (the agency responsible for managing the domain name). The reason was that DENIC issued a malformed signature when rotating the ZSK key. ZSK refers to the spatial signature key, which is used for DNSSEC encryption.
Due to publishing malformed signatures, all recursive parsers that enable DNSSEC encryption verification will return SERVFAIL errors, which results in a large number of .de domain names being unable to be parsed normally. For example, the e-commerce website Amazon.de in Germany cannot be loaded normally.
After detecting the anomaly, Cloudflare, which operates the 1.1.1.1 public DNS server, immediately turned off DNSSEC validation for the DE domain name, so 1.1.1.1 and 1.0.0.1 were used Users of are not particularly affected, but users using other public DNS servers may experience long-term inaccessibility errors.
But Cloudflare’s approach also raises questions about whether this emergency shutdown of verification will also be a target if there is an attack (that is, using the attack to divert attention, and then let the mainstream public DNS server providers turn off DNSSEC, so that hackers can conduct other hijacks).
DNSSEC was originally a digital signature layer added to prevent DNS spoofing. A simple configuration error can directly take the DE domain name offline. Therefore, some people in the industry lament that the Internet's failover capability fails here. DNSSEC improves security and also increases brittleness.
In addition, DENIC, which is responsible for this issue, also issued an announcement acknowledging that all DE domain names with DNSSEC signature enabled are affected in terms of accessibility. DENIC said that the root cause of the interruption has not yet been fully determined, and the technical team is working hard to analyze and restore stable operation as soon as possible.
Note: As of the publication of this article, access to DE domain names encrypted by DNSSEC has been gradually restored. However, because different domain names have different TTL survival times, some domain names may need to wait for the global DNS to be refreshed before they can be accessed.