You are here: Home > Participate > Join a Discussion > RIPE Forum
RIPE Forum v1.4.1

DNS Working Group

Threaded
Collapse

[dns-wg] DNSSEC Validation Failures for RIPE NCC Zones

User Image

Anand Buddhdev

2020-05-22 14:21:42 CET

RIPE NCC staff member

Dear colleagues,

Yesterday afternoon (21 May 2020), our DNSSEC signer rolled the Zone 
Signing Keys (ZSKs) of all the zones we operate. Unfortunately, a bug in 
the signer caused it to withdraw the old ZSKs soon after the new keys 
began signing the zones.

Validating resolvers may have experienced some failures if they had 
cached signatures made by the old ZSKs.

We apologise for any operational problems this may have caused. We are 
looking at the issue with the developers of our Knot DNS signer to 
prevent such an occurrence in the future.

Regards,
Anand Buddhdev
RIPE NCC

User Image

Petr Špaček

2020-05-25 11:21:26 CET

On 22. 05. 20 14:21, Anand Buddhdev wrote:
> Dear colleagues,
> 
> Yesterday afternoon (21 May 2020), our DNSSEC signer rolled the Zone Signing Keys (ZSKs) of all the zones we operate. Unfortunately, a bug in the signer caused it to withdraw the old ZSKs soon after the new keys began signing the zones.
> 
> Validating resolvers may have experienced some failures if they had cached signatures made by the old ZSKs.
> 
> We apologise for any operational problems this may have caused. We are looking at the issue with the developers of our Knot DNS signer to prevent such an occurrence in the future.

Knot DNS 2.9.5 with fix for this particular problem was released and we encourage all users to upgrade.

Full release announcement:
https://lists.nic.cz/pipermail/knot-dns-users/2020-May/001815.html

The bug sometimes caused automatic key roll-overs to be finished too early, leading to temporary DNSSEC validation failures.

More detailed problem description + workaround:
https://lists.nic.cz/pipermail/knot-dns-users/2020-May/001813.html

We apologize to everyone affected.

-- 
Petr Špaček  @  CZ.NIC