Netcup Domain Registrar Hit by Silent DNSSEC Failure Affecting Multiple Domains

Summary

European domain registrar Netcup is experiencing a critical DNSSEC infrastructure failure that has rendered numerous domains unreachable for users on major DNS services including Google and Cloudflare. The issue, first reported on Saturday, stems from a mismatch between advertised DS (Delegation Signer) records and the actual DNSSEC keys stored on Netcup's nameservers. A user discovered the problem affecting their domain pikz.cc when DNS queries revealed that the advertised DS record (key ID 33487) did not match the actual DNSKEY records (key IDs 51649 and 37505) returned by Netcup's nameservers.

The failure particularly impacts users whose DNS queries are routed through services that enforce DNSSEC validation, such as Google's 8.8.8.8 and Cloudflare's 1.1.1.1 resolvers. When these services attempt to validate the DNSSEC chain of trust and encounter the key mismatch, they correctly treat it as a security failure and block access to the affected domains. This makes the domains appear completely unreachable to a significant portion of internet users, while remaining accessible to those using DNS services that don't implement DNSSEC validation.

Despite the user contacting Netcup support three times since Saturday, with the company claiming the issue was resolved on Monday, the problems have continued to persist. The silent nature of this failure is particularly concerning, as many monitoring services don't use DNSSEC-validating resolvers, meaning affected domain owners may not receive automated alerts about their sites being down. The only indicators for the affected user were a noticeable drop in website traffic and browser error messages when attempting to access the domain through DNSSEC-validating services.

• Many uptime monitoring services fail to detect this type of outage because they don't use DNSSEC-validating resolvers, leaving domain owners unaware of the problem