DNSSEC issue at SML and SMK

Update (2019-08-29 11:25 CEST): for now, the DNSSEC changes have been rolled back and the DNS service should be operational again.

On August 28, 2019, CEF introduced DNSSEC for the SML and SMK domains. However, their implementation is broken, as the authoritative nameservers for are signaling that the domains should be signed, but are not adding digital signatures to their responses. This means that DNSSEC-aware DNS resolvers are currently unable to resolve any domains under This includes all PEPPOL identifier lookups.

Because of this, recipient lookups on this website, and that of the Simplerinvoicing Test Tool, are currently not working; any lookup will result in ‘recipient not found’.

If your Access Point uses a DNSSEC-aware resolver, all lookups will fail there too, and you will not be able to send any documents over the PEPPOL network. Should this issue remain unsolved, you can either set a Negative Trust Anchor in your resolver for any domain under, or disable DNSSEC-validation for the time being. In those cases, remember to re-enable it as soon as the issue is resolved.

CEF is aware of the issue, and is looking for a solution. We will post an update as soon as we have more information.