<div dir="ltr"><div><div style="font-family:monospace;white-space:pre">Posting in case anyone else is seeing this and to give DENIC additional
visibility. As of ~2026-05-05 21:43 UTC, validating resolvers are
returning SERVFAIL with EDE 6 (DNSSEC Bogus) for a substantial fraction
of .de names, including <a href="http://denic.de">denic.de</a> itself.
== Symptom ==
$ dig <a href="http://denic.de">denic.de</a> @<a href="http://8.8.8.8">8.8.8.8</a> +noall +comments
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL
; EDE: 6 (DNSSEC Bogus): (RRSIG with malformed signature found
for <a href="http://a0d5d1p51kijsevll74k523htmq406bk.de/nsec3">a0d5d1p51kijsevll74k523htmq406bk.de/nsec3</a> (keytag=33834))
$ dig <a href="http://denic.de">denic.de</a> @<a href="http://8.8.8.8">8.8.8.8</a> +cd +short # bypass validation -> resolves
Reproduces against 8.8.8.8, 1.1.1.1, 9.9.9.9. Quad9's non-validating
endpoint 9.9.9.10 returns the answer with EDE 6 set. CD=1 always works.
== Scope (quick sample, 8.8.8.8) ==
<a href="http://google.de">google.de</a> NOERROR (cached/working for now)
<a href="http://heise.de">heise.de</a> NOERROR (cached/working for now)
<a href="http://denic.de">denic.de</a> SERVFAIL EDE 6
<a href="http://bahn.de">bahn.de</a> SERVFAIL EDE 6
<a href="http://spiegel.de">spiegel.de</a> SERVFAIL EDE 6
<a href="http://bmw.de">bmw.de</a> SERVFAIL EDE 6
<a href="http://telekom.de">telekom.de</a> SERVFAIL EDE 6
<a href="http://nonexistent-test-zzz.de">nonexistent-test-zzz.de</a>
SERVFAIL EDE 6 (NXDOMAIN proof also fails)
The "still working" set is presumably whatever still has good cached
signatures; expect it to shrink as TTLs expire.
== Where the chain breaks ==
root -> .de DS OK
.de DNSKEY rrset, signed by KSK 26755 OK
.de NSEC3 + SOA RRSIGs, signed by ZSK 33834 <-- malformed
Chain of trust is intact down to the DNSKEY rrset; the per-record
signatures generated by ZSK keytag 33834 do not validate. RRSIG
inception 2026-05-05 17:49:38 UTC, expiry 2026-05-19 19:19:38 UTC, so
fresh signatures, not an expiry. Looks like a ZSK / signer mismatch
(private signer key not corresponding to the published DNSKEY with that
tag) or a botched ZSK rollover.
== Not a nameserver distribution issue ==
I queried four .de authoritatives at different operators / networks for
the same NSEC3 RRSIG:
<a href="http://a.nic.de">a.nic.de</a> 194.0.0.53
<a href="http://f.nic.de">f.nic.de</a> 81.91.164.5
<a href="http://s.de.net">s.de.net</a> 195.243.137.26
<a href="http://n.de.net">n.de.net</a> 194.146.107.6
All four return BYTE-IDENTICAL RRSIGs (same inception/expiry/keytag,
identical base64). So the bad data left the signer already broken — it
is not a primary/secondary sync issue, anycast inconsistency, or
on-the-wire corruption.
== Sample bad RRSIG (from 194.0.0.53) ==
<a href="http://a0d5d1p51kijsevll74k523htmq406bk.de">a0d5d1p51kijsevll74k523htmq406bk.de</a>. 7200 IN NSEC3 1 1 0 -
A0D5F6VETKD4HE1UG3NJGF20U4QMCIAQ NS SOA RRSIG DNSKEY NSEC3PARAM
<a href="http://a0d5d1p51kijsevll74k523htmq406bk.de">a0d5d1p51kijsevll74k523htmq406bk.de</a>. 7200 IN RRSIG NSEC3 8 2 7200
20260519191938 20260505174938 33834 de.
DZhBfHZt+n/IFEdUgogT4NpxzdkzLjUMslehShbTAbH6n4qaRnMH9zGu
gRutdlxWrtEywgA6XEpU+vsE2wBkS3BWXA1D1BWoLqmxETwqZSmXnJ30
IM16mtRwp9nxbWOMWAr/KfTiyoa+xPivpFl6Rg8jSzX3HIGGlLHAFVgZ KaY=
== Repro ==
for r in 8.8.8.8 1.1.1.1 9.9.9.9; do
dig <a href="http://denic.de">denic.de</a> @"$r" +noall +comments | grep -E '(status|EDE)'
done
# check the bad RRSIG is identical across .de authoritatives
for ns in 194.0.0.53 81.91.164.5 195.243.137.26 194.146.107.6; do
echo "--- $ns ---"
dig <a href="http://denic.de">denic.de</a> DS @"$ns" +dnssec +noall +authority \
| grep -E 'NSEC3 1 1|RRSIG NSEC3'
done
== Asks ==
1. Anyone else seeing this from other vantage points? Any reports of it
clearing up, or has it just started?
2. DENIC: a parallel report has been sent to <a href="mailto:dns-operations@denic.de">dns-operations@denic.de</a>.
3. If anyone has a current contact at DENIC outside that address,
please ping them.
Thanks</div><br clear="all"></div><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div dir="ltr" style="margin-left:0pt" align="left"><span><div dir="ltr" style="margin-left:0pt" align="left"><table style="border:none;border-collapse:collapse"><colgroup><col width="101"><col width="249"></colgroup><tbody><tr style="height:68.88000000000001pt"><td style="vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;text-align:center;margin-top:0pt;margin-bottom:0pt"><a href="https://www.assertiveyield.com/" target="_blank"><span style="font-size:10pt;font-family:Lato,sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:78px;height:78px"><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdqLJf5QNXfIY1H9yY-2rx-gbWJMfPgFLh2i620XqYbm0GmssBy4pmxWpJryrR0MuFt-9_1QJOAuMTtfxQhDYBClKpey0UtKaS576o8CIV1htz5mYCHWT6vUeVzaZvpngsA9yiXDw?key=22WBgkp4fJgjFQIbSMuL8Kgj" width="78" height="78" style="margin-left:0px;margin-top:0px"></span></span></a></p></td><td style="vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden"><p dir="ltr" style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Lato,sans-serif;color:rgb(34,28,53);background-color:transparent;font-weight:700;vertical-align:baseline">Nils Lind</span></p><p dir="ltr" style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9.5pt;font-family:Lato,sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline">Founder & CEO</span></p><p dir="ltr" style="line-height:1.7999999999999998;margin-top:0pt;margin-bottom:0pt"><span style="font-size:9.5pt;font-family:Lato,sans-serif;color:rgb(102,102,102);background-color:transparent;vertical-align:baseline"><a href="mailto:nils@assertive.ai" target="_blank">nils@assertive.ai</a></span></p></td></tr><tr style="height:0pt"><td style="vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden"><p dir="ltr" style="line-height:1.2;text-align:center;margin-top:0pt;margin-bottom:0pt"><a href="https://www.assertiveyield.com/" target="_blank"><span style="font-size:8pt;font-family:Lato,sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:700;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:20px;height:20px"><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfT1w-JgQ0ob9sAq_fIZb-7kfJuSdKrKVCHwyAAb32p6-Y8GlYz8wjtT8BxDWKrjIpqjHqQW5Nyp3vWflM57WLomfZiz5N5oCPQHE-qxzsY4GoNQ0g0bZLIDT-XsX1DAHaHJmRg1g?key=22WBgkp4fJgjFQIbSMuL8Kgj" width="20" height="20" style="margin-left:0px;margin-top:0px"></span></span></a><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline"> </span><a href="https://www.linkedin.com/company/assertive-yield" target="_blank"><span style="font-size:8pt;font-family:Lato,sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:700;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:20px;height:20px"><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdZwpLVw3gtwbbeotvu2nNWz8uX3rDQC4nusAW0p1yye0FEx4nVDwc336Hk68hHfh-tYDyQ8QzGbLmuC-MqIWWjJRLhjNNIPutfCNFVfxztijaIQJheHRas_8Fg4oJhKJ5ZcW2btg?key=22WBgkp4fJgjFQIbSMuL8Kgj" width="20" height="20" style="margin-left:0px;margin-top:0px"></span></span></a><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline"> </span><a href="https://www.youtube.com/@assertiveyield" target="_blank"><span style="font-size:8pt;font-family:Lato,sans-serif;color:rgb(17,85,204);background-color:transparent;font-weight:700;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:20px;height:20px"><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcnMKCgcTbQAtzRRXkGWhI8xRGJHrlUX9Nfkjwj8xnT3C1n4TWe87ERAtFuudicUh3osJjTYiBCocnUqFri3G4ZNsYLtaxnO3BNR3_cO4ojv8K0934xV5Ah4aIJD-bl2dTcg2ukmw?key=22WBgkp4fJgjFQIbSMuL8Kgj" width="20" height="20" style="margin-left:0px;margin-top:0px"></span></span></a></p></td><td style="vertical-align:top;padding:5pt 5pt 5pt 5pt;overflow:hidden"><p dir="ltr" style="line-height:1.44;margin-top:0pt;margin-bottom:0pt"><br></p></td></tr></tbody></table></div><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><a href="https://lp.assertiveyield.com/publishers-traffic-shaping" target="_blank"><span style="font-size:12pt;font-family:Lato,sans-serif;color:rgb(17,85,204);background-color:transparent;vertical-align:baseline"><span style="border:none;display:inline-block;overflow:hidden;width:602px;height:148px"><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfv4Ux7sVOnapf0UXqLxhYWaNZ-6ShIeM4Wsn6I7h5wdeppzG_K8FL6BCeTeg6zLpVVp-ZzFNT_9L34YVSfTnqYi06zcGpsEXE48c76J1vU7YfN3Bp6S2xdFJO4SP8CV8d_VTLtKQ?key=22WBgkp4fJgjFQIbSMuL8Kgj" width="602" height="148" style="margin-left:0px;margin-top:0px"></span></span></a></p><div><br></div></span></div></span></div></div></div>
<br>
<div><div><br><hr></div><div><font size="2" color="#000000"><b><br></b></font></div><div><font size="2" color="#000000">Assertive Yield B.V.</font></div><div><font size="2" color="#000000">Van Speijkstraat 44B</font></div><div><font size="2" color="#000000">2518 GD Den Haag, NL</font></div><div><font size="2" color="#000000"><br></font></div><div><font size="2" color="#000000">CoC: 74301268, VAT: NL859845655B01</font></div></div><div><font color="#808080"><br></font></div><font color="#808080" size="2">The content of this e-mail is intended exclusively for the designated addressee. Any form of knowledge, publication, duplication, or transmission of the contents of this e-mail by unauthorized third parties is prohibited. Please contact the sender of this e-mail if you are not the addressee of this e-mail and delete the material from your computer.</font><br>