Dear colleagues, On 3 December, at around 15:40 (UTC+1), Matt Nordhoff and Peter van Dijk alerted us to a problem with the DNS resolution of certain names in ripe.net. Upon investigation, we discovered that a recent update in the zone had changed the status of some address records to glue records. This change was not handled correctly by our DNSSEC signer, and it left spurious NSEC records in the zone, which then caused validation failures.
Eventually, around 20:00 (UTC+1), we forced the DNSSEC signer to fully re-sign the zone, and this fixed the problem. We have reported this issue to the developers of the DNSSEC signing software, and they are investigating. We are also adding some extra monitoring to our infrastructure, to detect such problems more quickly. Regards, Anand Buddhdev RIPE NCC
