On May 5, 2026, DENIC published incorrect DNSSEC signatures for the .de TLD during a key rollover, causing validating resolvers globally to return SERVFAIL errors. This article details how Cloudflare's 1.1.1.1 resolver responded using "serve stale" mechanisms and implemented an emergency override equivalent to a Negative Trust Anchor (NTA) to restore connectivity by treating the zone as unsigned. The post also covers mitigations for origin resolution and identifies improvements needed for Extended DNS Error (EDE) reporting.
- Impact of TLD-level DNSSEC misconfigurations on child domains
- How RFC 8767 "serve stale" cushions the impact of upstream outages
- Using Negative Trust Anchors to bypass broken cryptographic validation
- Lessons learned regarding transparency in Extended DNS Error reporting
- Impact of TLD-level DNSSEC misconfigurations on child domains
- How RFC 8767 "serve stale" cushions the impact of upstream outages
- Using Negative Trust Anchors to bypass broken cryptographic validation
- Lessons learned regarding transparency in Extended DNS Error reporting
