.de is returning NSEC3 opt-out denial for DS on multiple .de domains, but Let’s Encrypt validation intermittently marks it Bogus with “not all NSEC3 records secure.” Raw dig +dnssec from n.de.net returns NSEC3/RRSIG material, but validator acceptance is failing.
The issue started to happen a couple of hours ago.
Doesn't look like this is unique to Let's Encrypt validation. If DNSSEC is present LE validates it so would (rightly) fail for invalid DNSSEC.
I am getting Bogus results for pepsi.de and amazon.de from this testing tool that we often use.
Do you think we need to contact DENIC to let them know about the issue?
They're aware https://status.denic.de/
Since NSEC3 records also currently have invalid signatures, unsigned domains are also affected.
In fact it's the other way around: I'm only seeing valid RRSigs for domains with a DS record (as there is no NSEC involved here), so DNSSEC-signed domains resolve properly. It's the unsigned domains that don't work, as the NSEC record currently being served is invalid for some domains. However, it's not invalid for all domains, only some. Something went wrong with Denic's zone signing for sure.
Looks like they had a maintenance scheduled for today: [COMPLETED] DENIC (.DE) Registry Scheduled Maintenance - May 5, 2026 - Namecheap Status
