An entire country dropped off the internet today. The culprit? DNSSEC. Let's dive into the massive .de TLD outage and why 'It's always DNS'.
There's an ancient Haiku in IT that every dev learns through blood and tears: "It's not DNS. There's no way it's DNS. It was DNS." Today, Germany learned this the hard way as their entire .de infrastructure seemingly logged out of the internet.
Hacker News is currently blowing up with a post about the .de TLD going offline. Yep, you heard that right. An entire country's Top-Level Domain just dropped off the face of the earth. Devs trying to resolve any .de domain were met with the absolute void.
Running it through Verisign's analyzer showed a glorious waterfall of red errors pointing straight to a DNSSEC failure at the root of nic.de. For the uninitiated, DNSSEC is like putting a high-tech biometric lock on your door to stop intruders. It sounds badass until you forget to charge the battery and lock yourself out of your own house. It seems the .de registry just locked themselves out. Millions of sites and email servers instantly became unreachable.
While sysadmins were too busy putting out fires to comment, the global tech community on HN quickly formed their usual factions:
.com fallback, and pray to the network gods, I guess?TL;DR for the homies out there:
First, if you don't fully, 100% understand DNSSEC and have a flawless key rotation pipeline, do not turn it on. It is a loaded gun pointed directly at your infrastructure's foot.
Second, sometimes outages are completely above your paygrade. When a core internet infrastructure fails at the TLD level, you can't hotfix it. Close your laptop, tell your boss "it's an upstream issue," go touch some grass, and let the network wizards at the registry sweat it out.
Sauce: