On May 5, 2026, DENIC published broken DNSSEC signatures during a routine key rollover for the .de TLD, causing validating resolvers including Cloudflare's 1.1.1.1 to return SERVFAIL for millions of German domains. The post details how DNSSEC chain-of-trust failures propagate, how 1.1.1.1's 'serve stale' (RFC 8767) cushioned the impact by continuing to serve expired cached records, and how Cloudflare applied a Negative Trust Anchor (NTA) override at 22:17 UTC to restore resolution by treating .de as unsigned. The post also identifies a bug where 1.1.1.1 returned EDE 22 (No Reachable Authority) instead of EDE 6 (DNSSEC Bogus), obscuring the real cause. Broader lessons include the structural fragility of TLD-level failures, the value of DNS-OARC community coordination, and why DNSSEC misconfiguration doesn't invalidate the technology itself.
Table of contents
How DNSSEC worksWhat we sawServe staleOur mitigationIs this a failure of DNSSEC as a technology?#HugOpsTakeaways from this incidentSort: