We are currently observing early signs of recovery, as NSEC3 for DNSSEC is being correctly validated again. We will use the opportunity to perform a key rollover once the TTL for DNSSEC has expired on all clients.

We are currently investigating an issue affecting .de domains where the .de zone is propagating incorrect DNSSEC data, leading to DNS resolution failures for DNSSEC-enabled domains.

Initial analysis indicates this issue originates on the DENIC side.

As a mitigation measure, we have temporarily removed DNSSEC from our primary domain. However, due to the nature of DNS propagation and caching, some impact may still persist.

We will continue to monitor the situation closely and provide updates as more information becomes available.