More correctly they had working DNSSEC deployed (https://dnsviz.net/d/slack.com/YVXX_g/dnssec/) and then pulled both the DS records for slack.com and the DNSSEC records in slack.com AT THE SAME TIME resulting in DNSSEC validation failures. Cached DS records said slack.com is signed but the answers from the slack.com servers where missing the DNSSEC records. They failed to wait for the DS records to expire from DNS caches before removing the DNSSEC records in slack.com. Failure to wait for unsigned responses to clear caches before publishing DS records can also cause issues with multiple levels of caching.
> On 1 Oct 2021, at 08:23, Scott Howard <[email protected]> wrote: > > They broke (and subsequently fixed) their DNSSEC configuration many hours > ago, but it was broken long enough to get cached by some servers for up to 24 > hours so some users are still having issues connecting. > > Short of the classic "have your ISP clear their DNS cache" not much anyone > can do except wait it out... > > https://status.slack.com/2021-09/06c1e17de93e7dc2 > > Scott > > > On Thu, Sep 30, 2021 at 3:19 PM Andrew Yager <[email protected]> wrote: > Hi, > > Slack is down and finding a few other (non slack) services etc being broken > seemingly with DNS things. Anyone know what’s going on? > > A > _______________________________________________ > AusNOG mailing list > [email protected] > http://lists.ausnog.net/mailman/listinfo/ausnog > _______________________________________________ > AusNOG mailing list > [email protected] > http://lists.ausnog.net/mailman/listinfo/ausnog -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ AusNOG mailing list [email protected] http://lists.ausnog.net/mailman/listinfo/ausnog
