When DNSSEC goes wrong: how we responded to the .de TLD outage

On May 5, 2026 DENIC published incorrect DNSSEC signatures for the .de TLD causing validating resolvers to reject responses and return SERVFAIL; Cloudflare observed increased SERVFAILs and query retries, relied on RFC8767 “serve stale” behavior to reduce user impact, and deployed an override equivalent to a Negative Trust Anchor to bypass DNSSEC validation for .de while DENIC fixed the key rollover misconfiguration.