You are here: Home > Get Support > Service and Security Announcements > DNSSEC Validation Problem with ripe.net

DNSSEC Validation Problem with ripe.net

On 3 December 2020 at 15:40 (UTC+1), Matt Nordhoff and Peter van Dijk alerted us to a problem with the DNS resolution of certain names in ripe.net. Upon investigation, we discovered that a recent update in the zone had changed the status of some address records to glue records. This change was not handled correctly by our DNSSEC signer, and it left spurious NSEC records in the zone, which then caused validation failures.

At 20:00 (UTC+1), we forced the DNSSEC signer to fully re-sign the zone, and this fixed the problem. We have reported this issue to the developers of the DNSSEC signing software, and they are investigating. We are also adding some extra monitoring to our infrastructure, to detect such problems more quickly.