On May 5, 2026, a major .de outage disrupted access to websites across Germany and Europe. The incident, caused by a failure at DENIC, the operator of the .de top-level domain, resulted in widespread DNS resolution failures.
This was not a typical service outage. It was a failure at the DNS layer that made entire domains unreachable. As DNS caches expired, more services went offline, creating the appearance of a spreading outage across unrelated companies.
Summary of the incident
The core issue was a disruption in DENIC’s DNS service that caused DNSSEC validation to fail. When DNSSEC signatures cannot be verified, resolvers reject responses entirely. As a result, domains do not resolve.
DENIC confirmed the issue during the incident, about 30 mins after StatusGator first reported Early Warning Signals for affected services.
DENIC eG is currently experiencing a disruption in its DNS service for .de domains. As a result, all DNSSEC signed .de domains are currently affected in their reachability.
They also noted that the root cause was still under investigation and that users could experience impairments in domain resolution.
Independent infrastructure provider such as Cloudflare observed the same pattern, reporting issues with authoritative resolution for the .de TLD. Eventually, Cloudflare decided to disable DNSSEC on .de domains, specifically on their popular and widely-used 1.1.1.1 DNS resolver:
Cloudflare has temporarily disabled DNSSEC validation for .de domains on 1.1.1.1 resolver (as per RFC 7646) in order to allow .DE names to continue to resolve.
Timeline based on StatusGator data
- 07:57 UTC
Earliest reports of outages at .de domains come into StatusGator - 20:03 UTC
StatusGator issues Early Warning Signal for German bank, N26, which begins experiencing widespread login issues. - 20:21 UTC
German shipping provider DHL becomes inaccessible - 20:36 UTC
IONOS Germany reports DNS resolution issues - ~20:36 to 20:40 UTC
Large increase in user reports referencing .de domains not resolving and DNSSEC failures - ~21:06 UTC
DENIC moves to WARN state - ~21:28 UTC
DENIC publicly acknowledges DNS disruption affecting .de domains - ~21:31 UTC
DENIC marked DOWN as impact becomes widespread - 21:30 to 22:30 UTC
Peak impact period with widespread DNS resolution failures across .de domains - 22:37 UTC
Cloudflare announces that they have disabled DNSSEC for .de domains on their public 1.1.1.1 resolver - ~23:37 UTC
DENIC returns to UP and recovery begins
What is DNSSEC?
DNSSEC, or Domain Name System Security Extensions, is a system that verifies DNS responses using cryptographic signatures. It ensures that the response a resolver receives has not been tampered with.
When DNSSEC validation fails, resolvers do not return potentially incorrect data. They reject the response entirely. This causes domains to appear offline even if the underlying service is still running normally.
Why .de domains were not resolving
During this incident, DNSSEC validation for .de domains failed at the TLD level. This broke the chain of trust required for resolvers to accept DNS responses.
As a result:
- DNS queries returned validation errors
- Resolvers rejected responses
- Domains appeared completely unreachable
Because DNS responses are cached, the outage did not impact all users at once. Instead, services became inaccessible gradually as cached records expired.
Impact
The outage affected a wide range of services relying on .de domains, including banking, logistics, hosting, and media. Because the failure occurred at the DNS layer, the impact extended beyond individual services and affected any system attempting to resolve .de domains.
User reports during the incident consistently referenced domains not resolving, DNSSEC errors, and complete loss of connectivity.
Reports were observed across multiple countries, including Germany, Switzerland, Italy, and Sweden, which is consistent with a global DNS validation failure tied to a single TLD.
StatusGator Early Warning Signals
This incident initially appeared as multiple unrelated outages. N26 login issues, DHL downtime, and hosting provider failures did not immediately point to a single root cause.
StatusGator identified the pattern early using Early Warning Signals, our proprietary algorithm that alerts before provider status pages. By correlating simultaneous issues across unrelated services, it became clear that the failures were connected and centered around .de domains.
Before DENIC officially acknowledged the incident, StatusGator had already:
- detected simultaneous disruptions across multiple services
- identified clustering around .de domains
- surfaced DNS and DNSSEC-related user reports
This allowed the incident to be understood as a single infrastructure failure rather than independent outages.
Key takeaways
Failures at the DNS layer can affect entire ecosystems, not just individual services. DNSSEC improves security but introduces strict failure conditions where validation errors result in complete outages.
Large incidents often begin as unrelated service failures. Identifying the root cause requires correlating signals across multiple providers. StatusGator, the world’s most trusted status page aggregator, can help by giving your team a single pane of glass view into all your dependencies.
The May 5 .de outage shows how a single issue at the TLD level can disrupt access to a large portion of the internet.
