https://www.christian-spoo.de/tags/internet/Recent content in Internet on Christian SpooHugoen-usWed, 06 May 2026 09:25:12 +0200https://www.christian-spoo.de/posts/2026/05/the-night-dnssec-broke-.de/Wed, 06 May 2026 09:00:00 +0200https://www.christian-spoo.de/posts/2026/05/the-night-dnssec-broke-.de/<p>Last night, large parts of the German internet quietly broke. Not for everyone — which made it more confusing, not less. Bahn.de, Spiegel.de, and thousands of other <code>.de</code> domains returned <code>SERVFAIL</code> to anyone using a security-conscious DNS resolver. The culprit was DENIC, the registry responsible for the <code>.de</code> top-level domain, and a botched key rollover in their DNSSEC setup.</p> <h2 id="what-dnssec-is-supposed-to-do">What DNSSEC is supposed to do</h2> <p>DNS — the system that translates domain names like <code>spiegel.de</code> into IP addresses — was designed in an era when the internet was a considerably more trusting place. It has no built-in mechanism to verify that the answers you receive are genuine and haven&rsquo;t been tampered with in transit. An attacker positioned between you and your DNS resolver can, in principle, return fake records and silently redirect you to a malicious server.</p>