From the NIC themselves:
During a routine DNSSEC key exchange on May 5, 2026, some invalid signatures were generated and distributed. As a result, validating resolvers were temporarily unable to successfully verify their DNS responses for .de domains. This led to noticeable limitations in the accessibility of .de domains for approximately three hours. Normal operation was fully restored during the night of May 6.
and
instead of generating one key pair and storing it on three HSMs, the software generated three different key pairs – one for each HSM. All three HSMs were used for signing, but only one had a key that matched the (pre-)published DNSKEY RR.
Notably
Several operators of large resolvers temporarily suspended the validation of .de domains, thereby mitigating the impact on their users. We thank them for their assistance.
Personally I don’t quite understand this last bit: if DNSSEC is there to provide highly trusted DNS service, and if middlemen are able to bypass it when it fails, then a denial of service could, it feels to me, be used as a way to serve poisoned data, somehow.
Cloudflare also blogged:
HN has commentary, as usual:
The Register reports
Downdetector’s German website shows thousands of outage reports made concerning major websites such as Amazon, DHL, Steam, Web.de, around the same times that Denic confirmed the problems.
Anecdotal reports from the wider web indicate that the likes of eBay and mainstream news outlets were also unavailable.