HN
Today

.de TLD offline due to DNSSEC?

A Verisign DNSSEC analyzer page for nic.de sparked alarm on Hacker News, as it coincided with widespread reports of major German websites, like Amazon.de, becoming unreachable. Commenters quickly deduced a critical DNSSEC validation failure was the culprit, demonstrating how a subtle technical misconfiguration can bring down significant portions of the internet. The incident underscored the fragility of core internet infrastructure and the power of distributed diagnosis.

37
Score
7
Comments
#1
Highest Rank
16h
on Front Page
First Seen
May 5, 8:00 PM
Last Seen
May 6, 11:00 AM
Rank Over Time
6111111133344568

The Lowdown

This post linked to a Verisign DNSSEC Analyzer report for nic.de, the registry for Germany's top-level domain (.de). While the page itself is a diagnostic tool, its appearance on Hacker News quickly became the focal point for a suspected widespread internet outage.

  • The Verisign tool is designed to identify and explain DNSSEC-related issues for a given domain.
  • The specific analysis shown was for nic.de, which manages the .de TLD.
  • It provides visual cues (red/yellow icons) and hints for remediation of DNSSEC problems.
  • Crucially, the context provided by the HN post's title and immediate comments suggested the entire .de TLD was experiencing issues.
  • Users reported prominent German sites, such as Amazon.de and SPIEGEL.de, were largely inaccessible.
  • The issue was swiftly attributed to a DNSSEC validation failure rather than a general nameserver outage.

What appeared to be a mundane diagnostic link became the key piece of evidence in a live incident, highlighting how crucial and sometimes fragile the foundational layers of the internet, like DNSSEC, truly are. It demonstrated real-time, community-driven incident response and analysis.

The Gossip

Widespread Web Woes

Initial reports confirmed a significant outage affecting numerous prominent .de domains, including Amazon.de and SPIEGEL.de, though not all .de sites were impacted. The gravity of the situation was immediately apparent to commenters, who expressed surprise at the scope of the problem.

DNSSEC Detective Work

Commenters quickly pinpointed DNSSEC as the likely cause, with detailed technical analysis showing specific validation failures. One user provided a definitive `unbound-host` output, demonstrating that `denic.de`'s DS record pointed to a non-existent DNSKEY, confirming a critical mismatch in the chain of trust.

Connectivity Conundrum

While many experienced issues, some users initially reported successful resolution of .de nameservers, leading to a brief period of confusion. This highlighted that the problem wasn't a general nameserver unreachability, but a more subtle DNSSEC validation breakdown that affected resolvers performing DNSSEC checks.