DNS issues for .de TLD (SERVFAIL)
Posted by vortexman100@reddit | sysadmin | View on Reddit | 122 comments
It seems like .de TLD has some DNS issues going on. Our monitoring shows DNS resolution issues (SERVFAILs) across different networks and countries. Apparently most caches are also affected, with some caches sometimes working.
glassmkr_@reddit
If you're disabling DNSSEC validation as a workaround, scope it to .de only with a negative trust anchor instead of turning it off globally:
rndc nta de.(defaults to 1h lifetime, auto-expires)domain-insecure: "de."in the conf, thenunbound-control reloadKeeps validation active for every other TLD while you wait for denic to fix the bad RRSIG. Drop the NTA once the zone resigns cleanly.
michaelpaoli@reddit
Or just wait it out, if you'd rather not be subject to DNS spoofing and the like for DE.
DNSSEC is working exactly as it should. DE. basically said don't trust DE. data unless it's signed by one of our keys ... and then they f*cked up their signing.
glassmkr_@reddit
Fair point that NTA opens a window where you'd accept unsigned .de responses. Worth noting, it's part of the DNSSEC standard (RFC 7646) for exactly this scenario, not a workaround. If you don't need .de resolution during the outage, waiting is cleaner. If you have business-critical .de traffic, waiting means you're down, and NTA scoped + auto-expire is the operationally accepted compromise.
Mr-Shortman@reddit
same nothing working on my end cant reach google.de amazon.de, nothing...
jykke@reddit
Yeah I wondered why amazon android app did not work, configured to use Germany.
michaelpaoli@reddit
More info and less chatter over on r/dns --> https://www.reddit.com/r/dns/comments/1t4r06f/dns_issues_for_de_tld_servfail/ and including bit more detailed timeline (when it was last good before failures, when first failures were detected, when data was "better enough" for recoveries to start, and when the DNS[SEC] data situation was resolved by.
ChlupataKulicka@reddit
I bet it is related to the last week dnssec root zone signing . https://www.iana.org/dnssec/ceremonies/61
michaelpaoli@reddit
Nope. DE. f*cked themselves over all on their own.
klti@reddit
It's crazy, the German internet is just gone. I've thought I've seen wild outages but this is next level.
Guess who assigns important stuff s fallback domain on a different TLD tomorrow?
michaelpaoli@reddit
Ya Whippersnapper!
Many of us well remember much larger percentages of The Internet being effectively taken out by DNS or other Internet issues.
adsci@reddit
Yeah, I am amazed as well. I cant remember anything like it before.
internal-user@reddit
Makes totally sense to host https://status.denic.de/ on a .de domain
michaelpaoli@reddit
Yep, and their DNS email contact too. 8-O
What could possibly go wrong? 😉 Oh yeah, ... that.
Mr-Shortman@reddit
how is it still working? Becuase they are the source?
superbroleon@reddit
It's working if you resolve it without DNSSEC, e.g through 9.9.9.10
internal-user@reddit
Not working for me
Better_one@reddit
not working for me either, location Rheinland-Pfalz.
phony_sys_admin@reddit
No wonder I couldn't get to the TreeSize website on firefox.
Salt_Somewhere_308@reddit
Its fixed "All Systems Operational"
dgx-g@reddit
DNSSEC seems fixed by now.
Ottermiral@reddit
any guess if the TTL will make this issue last ? e.g. 24h for servers configured to 86400 ? or can the DENIC or DNS providers force update everything from their end?
sabek@reddit
You cant force a DNS to clear cache, but if your DNS server has the cache you can clear your own
Ottermiral@reddit
I don't own any but was wondering if we might encounter outages for another day if some aren't updated.
sabek@reddit
You could ask your ISP to clear their cache
ptear@reddit
That's good, I don't have to explain why things are down now and how the internet works.
Consistent-Orchid866@reddit
Has anyone an idea what is going on?
ptear@reddit
Germany forgot to renew its domains
Worried-Run-5545@reddit
Looks like the DNS I coming back to life.
AardvarkPlastic7068@reddit
Deutschland verabschiedet sich vom Internet.
mkdr@reddit
bricht grad der ww3 aus oder was los, steht frankfurt noch?
Chris_The_Tuner@reddit
Bedauerlicherweise steht Crackfurt noch.
Aber wenn man abreißt, am besten beim Waldstadion beginnen *wegduck* :D
The_FitzZZ@reddit
Goddamn I was debugging my home lab for an hour before finding out this happens :D
superbroleon@reddit
At first I thought it was Cloudflare (again) but realized relatively quickly.
adsci@reddit
yeah, me too. I was like restarting the dns servers and all other parts of the network first, then did dns lookups which got answered but .de domains didnt have a record. then i looked for upstream servers and cloudflare and google were both available but didnt answer for .de domains too. then I found some dns who still had answers. then I went to reddit lol
Ok_Practice_2032@reddit
Did the same but after 5 minutes it was clear for me
remy-00@reddit
All domains of mine are now resolvable again.
Marc-Z-1991@reddit
Great - that's what happens, when Gen-Z thinks they can Vibe-Code the root TLD's... ;) :P
mkdr@reddit
danke ki
Perahoky@reddit
schön ironisch wenn die .de domain eine .de störung meldet und man wegen der .de störung die .de statusseite für die .de störung nicht aufrufen kann
Chris_The_Tuner@reddit
Willkommen in der Logik des deutschen Internets 😃
Mxmtm@reddit
Damn it, I've gone completely crazy and I'm poring over Pi-Hole and Unbound like a maniac...
Perahoky@reddit
scheiße ja man GENAU SO GING ES MIR AUCH. ich war an der fck paketstation und konnte nicht an mein paket ran, habe vponm deaktiviert, netz zurpückgesetzt neugestartet ich habe sgoar leute auf der straße gefragt obs bei denen geht :O
Mxmtm@reddit
hahahah verdammt
Perahoky@reddit
ja, ohne validierung aufn pihole mit direkten dns servern z.b. clfl oder google funktioniert.
vpn funktioniert trotzdem nicht weil kein pihole und weil vpn auf .de läuft.
aaaaaaberr wen nich im WLAN die vpn aktiviere läufts und solange die stabil steht und über die VPN ihre domain auflöst gehts :P
wtf ich werd irre
mkdr@reddit
und ich dacht schon bei mir läg der fehler ich versuch seit 30 minuten grad alle DNS durch KEINER funktioniert!! 1.1.1.1 8.8.8.8 vodafone, mullvad alles tot mal geht was kurz durch mal nicht
mkdr@reddit
I have problems resolving all kinds of host since 1-2 hours anyone knowing whats going on? I cant get any host resolved through Mullvad VPN too
blitzdose@reddit
There seems to be an Issue with DNSSEC for the .de-zone according to a German subreddit
Fluid-Ad4391@reddit
Yea, indeed. I switched my DNS to 9.9.9.10 and it works...
Better_one@reddit
Works for me
andreasbeer1981@reddit
it works for some domains, but not for all.
Consistent-Orchid866@reddit
I am in Germany right now and can´t reach any German homepage... DNS and so on... important pages like public news, hospital servers (we noticed because we wanted to check a MRT
coffedriven@reddit
Das ist schon krass wie abhängig wir inzwischen vom Internet sind.
Mxmtm@reddit
Damn it, I've gone completely crazy and I'm poring over Pi-Hole and Unbound like a maniac...
Upset-Writing1878@reddit
I can't even work on my stuff properly because of this 😃 I love how they just cut off most of germany from the internet and then call it a day
rankinrez@reddit
Invalid RRSIG for the SOA records it seems yeah
ZStrikeRED@reddit
i was trying to download software from https://www.tobias-erichsen.de/software/loopmidi.html, and noticed that i was getting a name not resolved error, then checked it against cloudflare's nameserver and got a server error:
ZStrikeRED@reddit
someone else said that level3 dns ( 4.2.2.1 ) dresolves properly and i can confirm it is indeed working for me
Minimum-Fun-2747@reddit
Meine strato de Domains flappen aktuell auch die ganze Zeit.
Delicious-Food4711@reddit
Kann ich bestätigen. Uptime Kuma hat alle meine de Domains als unerreichbar gemeldet. Weiß jemand mehr? Ursache? Wann gelöst?
Popular_Button2062@reddit
None of my domains are resolveable right now, can confirm
Delicious-Food4711@reddit
Dito
FlatronEZ@reddit
For us it just affects all .de Domains that use Cloudflare root NS servers - can anyone confirm this?
Hauber_RBLX@reddit
my .de domain is dead too and it is on cloudflare NS servers
FlatronEZ@reddit
Somewhat all domains that do not use Cloudflare DNS for .de seem to work just fine.
andreasbeer1981@reddit
probably caching that survived a bit longer.
Mr-Shortman@reddit
nope i have some domains not on cf that are not working too and some other tlds on cf that still are working
Hauber_RBLX@reddit
seems pretty inconsistent then, i also checked two other sites i know of that are companies and they are dead too. i can imagine some sysadmins are gonna have a rough awakening today
Frothyleet@reddit
I have a single .de domain hosted on cloudflare nameservers and it's resolving just fine. I have not been able to replicate any .de DNS issues - not sure if it's fixed, or if it's a geography / multicast issue (I'm in central US).
Working_Village3338@reddit
It also affects multiple customer domains which are not on Cloudflare for us.
Calien_666@reddit
My company and me are not using Cloudflare and our domains are dead, too.
dd1079@reddit
Nope, all of .de:
dig @8.8.8.8 "de."Federal_Refrigerator@reddit
Damn what happened I wonder?
FlatronEZ@reddit
I did not mean resolving agains CF or GG I mean if your .de domain uses CF's root DNS :)
ghac101@reddit
DE domain hosted on cloudflare not reachable via WIFI but reachable via 5G. Super weird.
jfernandezr76@reddit
Check if your 5G service runs on IPv6 vs your home service might only be IPv4.
Ok-Wolverine-6298@reddit
Many apps also don't work.
zeuswatch@reddit
Facing same issues for my .de domains
TheAlaine@reddit
Well they took away the partial and made it red instead of orange xD
dawg4prez@reddit
This may give an idea of how widespread the issue is: https://dnschecker.org/#A/www.google.de
---root--@reddit
https://dnssec-debugger.verisignlabs.com/a.nic.de
Bastelkorb@reddit
Sites are callable with quad9 dns @9.9.9.9
dawg4prez@reddit
This may give an idea of how widespread it is: https://dnschecker.org/#A/Www.google.de
KloMeister@reddit
Google DNS is down, switch your network DNS to 1.1.1.1 and everything works again.
Forumschlampe@reddit
If its a solutions, this wont last too long
If denic wont fix this shit soon no de domains will work
adsci@reddit
Best results for me right now is with Level 3 4.2.2.1
Seems like the failures didnt reach it yet
Novarest@reddit
C:\WINDOWS\system32>nslookup whois.denic.com 8.8.8.8 Server: dns.google Address: 8.8.8.8
*** whois.denic.com wurde von dns.google nicht gefunden: Non-existent domain.
C:\WINDOWS\system32>nslookup whois.denic.com 1.1.1.1 Server: one.one.one.one Address: 1.1.1.1
*** whois.denic.com wurde von one.one.one.one nicht gefunden: Non-existent domain.
Mr-Shortman@reddit
not on my end
FlatronEZ@reddit
Same here '.de' was wiped from the (German?) part of the internet 🫡
legrenabeach@reddit
Wiped from the entire internet it seems.
RatziFatzi@reddit
Yeah thats one way to delete one thing from the Internet.
JohnnyMyth@reddit
Glad to be not alone. I was worried my damn Technitium DNS server did nasty things again
Bl4ckX_@reddit
Glad I found this thread. I was just setting up some stuff in my Homelab for testing and was going nuts because I had all sorts of weird DNS issues.
Thought it was related to Quad9 at first.
Beatusnox@reddit
There was scheduled maintenance today on the .de domain registry
mmalyska@reddit
source of this info?
mmalyska@reddit
found it: https://www.namecheap.com/status-updates/planned-denic-de-registry-scheduled-maintenance-may-5-2026/
Beatusnox@reddit
Thank you! Apologies everyone was dealing with a user after posting.
mistersd@reddit
https://www.namecheap.com/status-updates/planned-denic-de-registry-scheduled-maintenance-may-5-2026/
Account101244@reddit
Can you provide a source? I only saw a window for 12th of May https://www.namecheap.com/status-updates/planned-denic-de-registry-scheduled-maintenance-may-12-2026/
mistersd@reddit
https://www.namecheap.com/status-updates/planned-denic-de-registry-scheduled-maintenance-may-5-2026/
mmalyska@reddit
found it https://www.namecheap.com/status-updates/planned-denic-de-registry-scheduled-maintenance-may-5-2026/
whoamiagaindude@reddit
Just checked zdf mediathek, for Belgium with local dns, down. Over vpn with private dns ok
EllienoreB@reddit
https://status.denic.de/
"DNS Nameservice - Partial Service Disruption"
BoahSuper@reddit
http://whois.denic.com/
is also down, i guess its an attack or maintenance on denic?!
8zaphod8@reddit
It seems they have screwed up a key rollover, so probably not an attack:
https://www.reddit.com/r/de_EDV/s/atuhVo7GRp
catwiesel@reddit
from what I observed it seems to be a dnssec issue
---root--@reddit
Well, someone f*cked up their DNSSEC
KloMeister@reddit
Google DNS is down, switch your network DNS to 1.1.1.1 and everything works again.
robomanos@reddit
This is a DNSSEC related issue.. .de is reporting invalid RRSIG records so any recursor that validates DNSSEC will fail. Of course, turning off DNSSEC validation now is not the correct action as who knows what is the root cause of this outage.
; EDE: 6 (DNSSEC Bogus): (RRSIG with malformed signature found for
Creative-Pin3389@reddit
Seems to be an Issue wirh dnssec:
https://www.reddit.com/r/de_EDV/s/MT189YnpDk
---root--@reddit
Querying DENIC directly is successful.
---root--@reddit
Seems to be a Cloudflare issue, at least all domains I host with Cloudflare are unreachable, whereas those with different NS resolve correctly.
Habbie@reddit
it's definitely not a cloudflare issue, whole .de zone is broken
ChlupataKulicka@reddit
Godspeed brothers 🫡
hosh0r@reddit
same here for my de domain.
Hauber_RBLX@reddit
can confirm my .de is also dead
MelodicProgress6016@reddit
No issues here, yet. Located in Germany.
remy-00@reddit
Same, issues started around 9:40 pm Berlin time
---root--@reddit
Seems to be Google DNS for me
IT-BAER@reddit
same, just noticed like 10 minutes ago
YellowOnline@reddit
I can't reproduce this issue
CEURBS@reddit
I have this issue also with some of my .net, .org and .info domains when checked on https://www.whatsmydns.net/
Working_Village3338@reddit
Confirmed