ON May 5, 2026, at roughly 19:30 UTC, DENIC, the operator for the .de TLD, began publishing incorrect DNSSEC signatures for the .de zone, causing any validating resolver to reject them and return SERVFAIL, including 1.1.1[.]1, Cloudflare’s public resolver. The incident highlighted how a TLD misconfiguration can affect millions of domains, with SERVFAILs climbing in the following three hours as cached records expired and resolvers fetched fresh copies.
During the outage, resolvers continued to serve expired cached records (serve stale), a behaviour formalised by RFC 8767 and intended to cushion impact. Cloudflare’s mitigation included using Negative Trust Anchors and an override on Big Pineapple to treat .de as insecure, effectively bypassing DNSSEC for those queries; this was rolled out at 22:17 UTC and ended the impact for 1.1.1[.]1.
We also applied a similar NTA on our internal origin resolver to restore connectivity for customers, and noted that DNSSEC error reporting needed improvement, with EDE codes sometimes not surfaced as intended. Cloudflare emphasised that DNSSEC remains essential, even as misconfigurations at the registry level can propagate widespread disruption.