Re: [dns-operations] .RU zone failed ZSK rotation
On Wed, Jan 31, 2024 at 04:37:02PM +0200, Phil Kulin wrote a message of 56 lines which said: > Done. New serial number 4058860. New active ZSK > https://dnsviz.net/d/ru/ZbpWZg/dnssec/ There is now a detailed technical post-mortem. These official explanations fit the facts that we observed. Nice bug. https://www.rbc.ru/technology_and_media/07/02/2024/65c38fea9a794752176bd3a0 ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] .RU zone failed ZSK rotation
Done. New serial number 4058860. New active ZSK https://dnsviz.net/d/ru/ZbpWZg/dnssec/ On Wed, Jan 31, 2024 at 4:34 AM Phil Kulin wrote: > > Timeline: > 2024-01-30 12:29:44 UTC: Last correct answer before outage (SOA SN: > 4058855): https://dnsviz.net/d/ru/ZbjruA/dnssec/ > 2024-01-30 15:27:27 UTC: First bad answer (SOA SN: 4058857): > https://dnsviz.net/d/ru/ZbkVXw/dnssec/ > 2024-01-30 17:27:35 UTC: Resigning attempt (SOA SN: 4058857 and > 4058858): https://dnsviz.net/d/ru/Zbkxhw/dnssec/ > 2024-01-30 17:59:46 UTC: Recovering process started (SOA SN: 4058857 > and 4058857 and 4058858): https://dnsviz.net/d/ru/Zbk5Eg/dnssec/ > 2024-01-30 19:07:29 UTC: First completely good answer (SOA SN: > 4058856): https://dnsviz.net/d/ru/ZblI8Q/dnssec/ > > > On Tue, Jan 30, 2024 at 6:34 PM Sergey Myasoedov wrote: > > > > > > https://dnsviz.net/d/ru/ZbjruA/dnssec/ > > https://dnsviz.net/d/ru/ZbkVXw/dnssec/ > > > > And there is about 1hr outage by now > > > > > > -- > > Sergey > > ___ > > dns-operations mailing list > > dns-operations@lists.dns-oarc.net > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > > > -- > Non nobis Domine non nobis sed Nomini Tuo da gloriam > Phil Kulin -- Non nobis Domine non nobis sed Nomini Tuo da gloriam Phil Kulin ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] .RU zone failed ZSK rotation
On Wed, Jan 31, 2024 at 04:34:40AM +0200, Phil Kulin wrote a message of 45 lines which said: > Timeline: Thanks. I'm not convinced that the subject of this thread is useful. The chain of keys was always correct (unlike many DNSSEC problems, the DS, and DNSKEY were always in sync), the problem being that ZSK 52263 produced invalid signatures. Two hypothesis: 1) Something strange in this specific key broke the signatures (funny but unlikely) 2) The signing system had a sudden problem. Note that .ru went back, not only to the the previous ZSK but also to a previous zone, and the SOA serial (4058856) did not change since (it changed every ~ two hours before). It is possible that they cannot sign anymore. Note: there will be a short talk about this incident in FOSDEM (Brussels) on saturday, either at the DNS devroom or during the lightning talks. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] .RU zone failed ZSK rotation
Timeline: 2024-01-30 12:29:44 UTC: Last correct answer before outage (SOA SN: 4058855): https://dnsviz.net/d/ru/ZbjruA/dnssec/ 2024-01-30 15:27:27 UTC: First bad answer (SOA SN: 4058857): https://dnsviz.net/d/ru/ZbkVXw/dnssec/ 2024-01-30 17:27:35 UTC: Resigning attempt (SOA SN: 4058857 and 4058858): https://dnsviz.net/d/ru/Zbkxhw/dnssec/ 2024-01-30 17:59:46 UTC: Recovering process started (SOA SN: 4058857 and 4058857 and 4058858): https://dnsviz.net/d/ru/Zbk5Eg/dnssec/ 2024-01-30 19:07:29 UTC: First completely good answer (SOA SN: 4058856): https://dnsviz.net/d/ru/ZblI8Q/dnssec/ On Tue, Jan 30, 2024 at 6:34 PM Sergey Myasoedov wrote: > > > https://dnsviz.net/d/ru/ZbjruA/dnssec/ > https://dnsviz.net/d/ru/ZbkVXw/dnssec/ > > And there is about 1hr outage by now > > > -- > Sergey > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Non nobis Domine non nobis sed Nomini Tuo da gloriam Phil Kulin ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] .RU zone failed ZSK rotation
https://dnsviz.net/d/ru/ZbjruA/dnssec/ https://dnsviz.net/d/ru/ZbkVXw/dnssec/ And there is about 1hr outage by now -- Sergey ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
