Networks
Major .de domains experienced hours-long outage after registry distributed faulty signatures
Denic says the DNS blunder that brought most of Germany’s internet down on Tuesday evening is now resolved, and that websites should be operating normally after hours of disruption.
The registry, which looks after Germany’s .de top-level domain, said the problems were first detected at 21:57 on April 5, but engineers rolled out fixes by 01:15.
It said the issues were related to Domain Name System Security Extensions (DNSSEC), and that faulty DNSSEC signatures were distributed.
At the time of writing, it is still working on understanding the root cause of how this error came to pass.
Denic did not provide many details about the specific tech glitch behind the disruption. Some online commentators have suggested it was related to a zone signing key rollover, although not everyone agrees, and this is not an official explanation.
The registry promised to provide more details after its investigation concludes.
As the issue was rooted in DNSSEC, only DNSSEC-signed domains were affected.
According to ICANN, only 3.6 percent of .de domains are DNSSEC-signed, but this still represents hundreds of thousands of domains, given there are close to 18 million registered with the .de TLD.
Downdetector’s German website shows thousands of outage reports made concerning major websites such as Amazon, DHL, Steam, Web.de, around the same times that Denic confirmed the problems.
Anecdotal reports from the wider web indicate that the likes of eBay and mainstream news outlets were also unavailable.
Enabling DNSSEC helps website owners tackle nuisances such as DNS spoofing by providing additional validation for DNS responses.
Despite going mainstream in 2010, after DNS attacks really started picking up in 2008, DNSSEC uptake is generally low across the board. Less than 10 percent of most TLDs make use of the security extensions.
There are a few outliers, including the Netherlands, Sweden, Czechia, and China, where uptake is more common, but DNSSEC is largely overlooked by most domains.
The issues deterring website operators from making the switch include complexity, reduced web performance, and cases like Denic’s this week or New Zealand’s in 2023, whereby a website can be brought offline by a registry’s failure. ®
