On Tue, Mar 08, 2022 at 10:23:21AM +0100, Stephane Bortzmeyer wrote:
> Entire TLD down since the DS goes to an unexisting key
> <https://dnsviz.net/d/fj/YicaMA/dnssec/>.
>
> % dig @a.root-servers.net fj ds
> fj. 86400 IN DS 18952 8 2 (
> B22F5938AD822A76499A3AC295E061CC07FCE36D7956 E26A4F51AEDE1717F993 )
This had been in place unchanged since at least 2021-03-12, when the TLD
was first signed. (There's a new DS RR matching the KSK now).
> % dig @144.120.146.1 fj dnskey
> fj. 3600 IN DNSKEY 256 3 8 ( ... ) ; ZSK; alg = RSASHA256 ;
> key id = 24459
> fj. 3600 IN DNSKEY 257 3 8 ( ... ) ; KSK; alg = RSASHA256 ;
> key id = 12931
> fj. 3600 IN RRSIG DNSKEY 8 1 3600 ( 20220321164811
> 20220307230005 12931 fj. ... )
There had also been two ZSK rollovers since the TLD was signed, on
2021-09-03 and 2022-03-03, but this was the first KSK rollover.
Apparently, without overlap with the previous KSK, and only a
subsequent parent DS update. :-(
There is now a new DS RR matching the KSK and also a fresh ZSK.
IANA lists:
Technical Contact
Manager Systems & Networks
The University of the South Pacific IT Services
Suva
Fiji
Email: [email protected]
Voice: +679 323 2117
Is anyone in a position to reach out and help them avoid future issues?
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
