Cloudflare Disables DNSSEC for .de Domains After DENIC Signing Issue

What happened

Cloudflare experienced widespread DNS resolution issues affecting German .de domains on May 5. The problem was traced to a DNSSEC signing failure at DENIC, the registry operator for Germany's .de top-level domain. To restore access, Cloudflare temporarily disabled DNSSEC validation for all .de domains on their 1.1.1.1 public DNS resolver, following RFC 7646 procedures. The incident affected any websites or services using .de domains that relied on Cloudflare's DNS infrastructure.

Business impact

Background

DNSSEC provides cryptographic authentication for DNS responses, preventing cache poisoning and other DNS attacks. DENIC operates one of Europe's largest country-code domains with over 17 million registered .de domains. When DNSSEC signing fails at the registry level, resolvers that strictly validate signatures will reject all queries for affected domains, creating widespread connectivity issues.

What this means for your team

What to watch

Monitor whether DENIC provides a post-incident analysis explaining the DNSSEC signing failure. Watch for similar incidents affecting other major ccTLD operators, as DNSSEC operational issues can cascade across registry infrastructure.

Sources

• Resolution Issues for .de Domains
  Cloudflare Status

Related stories

• Major Platform Outages Hit Netlify, Vercel, Cloudflare in Early May ship-stopper
• Cloudflare Plans Major Datacenter Maintenance Across 8 Global Sites ship-stopper
• Vercel Multiple Outages April: Deployments, Webhooks, Support ship-stopper
• Cloudflare Page Rules HTTP Redirects Failing on Worker Subrequests heads-up
• Cloudflare Durable Objects Outage Hits Eastern North America heads-up