Cloudflare Blog
When DNSSEC goes wrong: how we responded to the .de TLD outage
ATT&CK techniques detected
T1482Domain Trust Discovery
71%
“was largely out of our own control, and serve stale was doing its job, there was still a legitimate impact for a lot of users. luckily, there were some actions we were able to take to improve the situation. negative trust anchors rfc 7646 defines the concept of a negative trust a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1572Protocol Tunneling
41%
“up from our trust chain verifier. when the verifier detects a bogus signature it creates the dnssec bogus ede code, but this is never inserted into the response. instead, the outer layer of the resolver sees a problem with recursive resolution with no error code and falls back to…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
On May 5, 2026, DENIC published broken DNSSEC signatures for the .de TLD, making millions of domains unreachable. Here's what 1.1.1.1 saw, how serve stale cushioned the impact, and how we restored resolution.