When DNSSEC goes wrong: how we responded to the .de TLD outage

On May 5, 2026, DENIC, the registry operator for Germany's .de TLD, mistakenly published incorrect DNSSEC signatures, causing widespread DNS resolution failures as resolvers, including Cloudflare's public DNS resolver 1.1.1.1, rejected these signatures according to DNSSEC specifications. This incident, which led to millions of domains becoming unreachable, highlighted the critical role DNSSEC plays in ensuring data integrity by verifying that DNS records haven't been tampered with, despite not providing privacy. To mitigate user impact, Cloudflare implemented temporary measures, including employing "serve stale" to continue serving cached records past their TTL and deploying a workaround akin to a Negative Trust Anchor (NTA) to treat the .de zone as insecure, thereby bypassing DNSSEC validation. This incident underscores the importance of the DNS hierarchy and the challenges it presents when disruptions occur at the TLD level, emphasizing the need for collaboration and communication within the DNS community to quickly address and mitigate such issues.