Germany’s Entire .de Domain Namespace Went Dark — Because of a Bad Digital Signature

On May 5, 2026, bahn.de, spiegel.de, and thousands of other German websites became completely inaccessible — but not for the reasons you’d think. The websites were working fine. Their DNS records were correct. Their servers were running. The problem was a corrupt digital signature in the root of Germany’s entire domain infrastructure.

This is one of those incidents that reveals how deeply the digital trust chain runs beneath the internet we take for granted, and how fragile that trust becomes when a single cryptographic signature goes wrong.

What Happened

DENIC eG — the registry that manages all .de domains with 17.9 million registrations — experienced a DNSSEC signing fault that affected an entire hash range in the zone file. Specifically, an NSEC3 record in the .de zone was served with a malformed RRSIG signature keytag 33834.

Because DNSSEC validates the entire cryptographic chain from root to leaf, a single corrupt signature in the authority section doesn’t just break one record — it breaks trust for every domain whose hash falls in the affected NSEC3 range. That’s why bahn.de (the national railway), spiegel.de (a major news publisher), and tiny business domains all went dark simultaneously, with no shared operator, hosting provider, or management team.

The Technical Details

For the technically curious (this is actually the fun part):

When resolvers like Google’s 8.8.8.8, Cloudflare’s 1.1.1.1, or Quad9’s 9.9.9.9 try to resolve an affected domain with DNSSEC validation enabled, they receive a SERVFAIL response. The diagnostic error message is telling:

;; EDE: 6 (DNSSEC Bogus): (RRSIG with malformed signature found for;;   a0d5d1p51kijsevll74k523htmq406bk.de/nsec3 (keytag=33834))

The exact same domain works perfectly when DNSSEC validation is disabled (+cd flag), confirming the infrastructure itself was fine — only the cryptographic trust chain was broken. It’s like having a perfectly valid passport that’s stamped with a fake signature.

According to DNS expert Christian Gebhardt’s detailed technical analysis on Blackfort Technology, the problem was specifically in DENIC’s zone-signing infrastructure, not any individual domain operator’s configuration.

The Resolution

The issue was identified and patched at around 20:15 UTC on May 5, 2026 when DENIC performed a targeted re-signing run of the affected NSEC3 hash range using a new key — keytag 32911. The earlier fix attempt at 20:33 UTC had only updated the SOA RRSIG record, not the malformed NSEC3 RRSIG, so it took a second targeted run to fully resolve the problem.

Google DNS, Cloudflare DNS, and Quad9 all confirmed NOERROR responses following the fix.

What This Teaches Us

There are a few lessons here for anyone running infrastructure seriously:

1. DNSSEC is a single point of failure for validation. Once it went wrong, every validating resolver in the world treated perfectly functional domains as broken. There was no fallback — either your signatures are valid or you’re offline. (This is arguably the right tradeoff, since DNSSEC exists for security, not availability.)

2. DNSSEC doesn’t make you bulletproof. It makes you provably trustworthy — and that guarantee only holds when the signatures are actually valid. When they’re not valid, the response is “trust nothing” rather than “trust the best version.”

3. The .de namespace is enormous. 17.9 million domains is a staggering number. The fact that a single NSEC3 hash range could knock out a meaningful, unpredictable subset of them shows how the DNS hierarchy works under the hood.

If you’re running a .de domain with DNSSEC enabled (or managing any domain in a zone you don’t directly control), this is worth keeping in mind. You can be doing everything right — correct A records, working nameservers, proper configuration — and still go dark because of a single bad signature in the zone’s trust chain.

Sources: Blackfort Technology — detailed DNSSEC incident analysis, Cloudflare Community — .de resolution issues thread, Hacker News discussion