You are here: Home > Get Support > Service and Security Announcements > DNSSEC Validation Failures for RIPE NCC Zones

DNSSEC Validation Failures for RIPE NCC Zones

On Thursday, 21 May 2020 at 18:50 (UTC), our DNSSEC signer rolled the Zone Signing Keys (ZSKs) of all the zones we operate. Unfortunately, a bug in the signer caused it to withdraw the old ZSKs soon after the new keys began signing the zones. Validating resolvers may have experienced some failures if they had cached signatures made by the old ZSKs.

We apologise for any operational problems this may have caused. We are looking at the issue with the developers of our Knot DNS signer to prevent such an occurrence in the future.