[dns-operations] Reminder: May 6th Online dns-wg session
This is a reminder for the dns-wg online session we will have on Wednesday May 6th at 15:30 CEST. Here's the agenda and Zoom details for the upcoming session 6 May: RIPE DNS Working Group - May 6, 2020 3:30 PM CEST (Amsterdam) Agenda: Effect of a global pandemic on DNS utilization Steve DeJong, Neustar COVID-19 influence on resolver traffic Peter van Dijk, PowerDNS Pieter Lexis, PowerDNS Join Zoom Meeting: https://ripe.zoom.us/j/92457259361?pwd=cElZU2dWTjB0N3JYaWVJZlc2T1BhQT09 Meeting ID: 924 5725 9361 Password: 379388 One tap mobile: +31207947345,,92457259361# Netherlands +31202410288,,92457259361# Netherlands Dial by your location +31 20 794 7345 Netherlands +31 20 241 0288 Netherlands +31 20 794 0854 Netherlands +31 20 794 6519 Netherlands +31 20 794 6520 Netherlands +1 301 715 8592 US +1 312 626 6799 US (Chicago) +1 346 248 7799 US (Houston) +1 646 558 8656 US (New York) +1 669 900 9128 US (San Jose) +1 253 215 8782 US Meeting ID: 924 5725 9361 Find your local number: https://ripe.zoom.us/u/ahMe5oL66 Join by SIP 92457259...@zoomcrc.com Join by H.323 162.255.37.11 (US West) 162.255.36.11 (US East) 221.122.88.195 (China) 115.114.131.7 (India Mumbai) 115.114.115.7 (India Hyderabad) 213.19.144.110 (EMEA) 103.122.166.55 (Australia) 209.9.211.110 (Hong Kong China) 64.211.144.160 (Brazil) 69.174.57.160 (Canada) 207.226.132.110 (Japan) Meeting ID: 924 5725 9361 Password: 379388 This is a RIPE community meeting the all RIPE meeting participation rules apply, including the RIPE code of conduct. Future sessions: May 27, 2020 at 3:30 PM CEST (Amsterdam) Jun 17, 2020 at 3:30 PM CEST (Amsterdam) Call for contributions: We are currently seeking content for the June 17 meeting and beyond. Presentations and suggestions for discussion topics are always welcome, recent operational experiences and observations are particularly encouraged. Please send your ideas to the DNS WG Chairs at . Kind regards, Dave Knight, for the DNS WG chairs. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
Thank you Thomas, Well, we had around 12% of the 800 000 RRSIG records that expired today. While it should not happen (I'm still looking to find out what went wrong) because signatures are supposed to be spread over time in the .fr zone to avoid to re-sign lot's of them at the same time. Our monitoring system did not detect this case while it is supposed to be addressed. I just found out that a bug was introduced in it recently when I worked on the algorithm rollover from RSA to ECDSA. We had to modify many configurations, scripts, processes during this transition and it seems I missed something :-/ The zone has been re-generated and records with signatures close to expire have been re-signed. Thank you for all the alerts I received from many of you, that allowed to fix it as fast as possible (it could had been better, but Murphy's laws...). Best regards, Vincent le 04 mai, Thomas Dupas via dns-operations a ?crit : > Date: Mon, 4 May 2020 20:31:54 + > From: Thomas Dupas > To: "dns-operati...@dns-oarc.net" , > "dns-operations@lists.dns-oarc.net" > Subject: Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain > fr. > > I'll leave it to Vincent/Afnic to answer on this more extensively once there > is more clarity, but we noticed it as well ~3 hours ago for dnsbelgium.fr . > Mail + text message has been sent to Vincent and his colleagues at the time, > they were looking into it. > I've just been in contact with him again, to be sure he knew. > They're aware; and working on it, would let them work on the issue at this > phase instead of tracking the various channels. > > Br, > > Thomas > > On 04/05/2020, 22:11, "dns-operations on behalf of Viktor Dukhovni" > > wrote: > > On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote: > > > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > > failed since about 4 hours. > > Indeed, there does seem to be a problem with expired DS RR signatures. > A random sample of 1000 .fr child domains (out of 398,564 total known > to me signed .fr domains) returns DS lookup ServFail for 205 of them. > > The associated RRSIG expiration times are: > > 204 20200504145605 > 1 20200504174835 > > We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so > the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are > now expired, affecting ~80k signed domains. > > > Could anybody please fix this? > > I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC > folks are on this list. > > > Does anybody else also noticed this? > > Yes. See above. > > -- > Viktor. > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operationsdata=02%7C01%7Cthomas.dupas%40dnsbelgium.be%7C4f03a38e053a4d3cc79b08d7f0675d75%7C695195dec0cb447892042a861e60e59c%7C0%7C0%7C637242199052215789sdata=7N%2BVPpdBP%2B4ryATNP5qOW44TuugKezsocgTxkTd5yks%3Dreserved=0 > > > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Vincent Levigneron A.F.N.I.C. vincent.levigne...@afnic.fr signature.asc Description: PGP signature ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
--- Begin Message --- I'll leave it to Vincent/Afnic to answer on this more extensively once there is more clarity, but we noticed it as well a few hours ago for dnsbelgium.fr . Mail + text message has been sent to Vincent and his colleagues at the time, they were looking into it. I've been in contact with him again ~30 min ago, to be sure he knew. They're aware; and working on it, would let them work on the issue at this phase instead of tracking the various channels. Br, Thomas From: dns-operations on behalf of Viktor Dukhovni Sent: Monday, May 4, 2020 10:23 PM To: dns-operati...@dns-oarc.net Subject: Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr. On Mon, May 04, 2020 at 04:01:41PM -0400, Viktor Dukhovni wrote: > On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote: > > > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > > failed since about 4 hours. > > Indeed, there does seem to be a problem with expired DS RR signatures. > A random sample of 1000 .fr child domains (out of 398,564 total known > to me signed .fr domains) returns DS lookup ServFail for 205 of them. > > The associated RRSIG expiration times are: > > 204 20200504145605 > 1 20200504174835 All 205 expired DS RRsets from the initial sample now have a DS RRSIG with an expiration time of 20200703184136 (retrieved directly from authoritative .FR servers). So it looks like progress is being made to resolve this. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operationsdata=02%7C01%7Cthomas.dupas%40dnsbelgium.be%7C73c713e6576e4139ef1f08d7f06a7c1f%7C695195dec0cb447892042a861e60e59c%7C0%7C0%7C637242212694976449sdata=3JArEIAOPrXR%2BvtgoP5NchrATDpF%2BQYo5OM7Dzc6wXY%3Dreserved=0 --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
--- Begin Message --- I'll leave it to Vincent/Afnic to answer on this more extensively once there is more clarity, but we noticed it as well ~3 hours ago for dnsbelgium.fr . Mail + text message has been sent to Vincent and his colleagues at the time, they were looking into it. I've just been in contact with him again, to be sure he knew. They're aware; and working on it, would let them work on the issue at this phase instead of tracking the various channels. Br, Thomas On 04/05/2020, 22:11, "dns-operations on behalf of Viktor Dukhovni" wrote: On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote: > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > failed since about 4 hours. Indeed, there does seem to be a problem with expired DS RR signatures. A random sample of 1000 .fr child domains (out of 398,564 total known to me signed .fr domains) returns DS lookup ServFail for 205 of them. The associated RRSIG expiration times are: 204 20200504145605 1 20200504174835 We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are now expired, affecting ~80k signed domains. > Could anybody please fix this? I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC folks are on this list. > Does anybody else also noticed this? Yes. See above. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operationsdata=02%7C01%7Cthomas.dupas%40dnsbelgium.be%7C4f03a38e053a4d3cc79b08d7f0675d75%7C695195dec0cb447892042a861e60e59c%7C0%7C0%7C637242199052215789sdata=7N%2BVPpdBP%2B4ryATNP5qOW44TuugKezsocgTxkTd5yks%3Dreserved=0 --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
Hi all, I'm on it. Sorry to be so brief in this message, we have to fix it. New zones with new RRSIG have just been released, It should be better now. le 04 mai, Viktor Dukhovni a ?crit : > On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote: > > > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > > failed since about 4 hours. > > Indeed, there does seem to be a problem with expired DS RR signatures. > A random sample of 1000 .fr child domains (out of 398,564 total known > to me signed .fr domains) returns DS lookup ServFail for 205 of them. > > The associated RRSIG expiration times are: > > 204 20200504145605 > 1 20200504174835 > > We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so > the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are > now expired, affecting ~80k signed domains. > > > Could anybody please fix this? > > I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC > folks are on this list. > > > Does anybody else also noticed this? > > Yes. See above. > > -- > Viktor. > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > -- Vincent Levigneron A.F.N.I.C. vincent.levigne...@afnic.fr signature.asc Description: PGP signature ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote: > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > failed since about 4 hours. Indeed, there does seem to be a problem with expired DS RR signatures. A random sample of 1000 .fr child domains (out of 398,564 total known to me signed .fr domains) returns DS lookup ServFail for 205 of them. The associated RRSIG expiration times are: 204 20200504145605 1 20200504174835 We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are now expired, affecting ~80k signed domains. > Could anybody please fix this? I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC folks are on this list. > Does anybody else also noticed this? Yes. See above. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
On Mon, May 4, 2020 at 3:41 PM Martin Wismer wrote: > Hello, Bonjour, > > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > failed since about 4 hours. > > Example Domains: > m6replay.fr. > climato-realistes.fr. > langue-au-chat.fr > sully-group.fr > > Could anybody please fix this? > Does anybody else also noticed this? > Thanks or merci beaucoup. Greetings > Martin.Wismer. > Yes, I notice the same. The signature on the DS RRset for these zones (in the .fr parent) has expired (May 4 15:19:46 2020 UTC for the first). Shumon. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
Hello, Bonjour, I noticed, that the DNSSEC signed Domains under top-Level Domain fr. failed since about 4 hours. Example Domains: m6replay.fr. climato-realistes.fr. langue-au-chat.fr sully-group.fr Could anybody please fix this? Does anybody else also noticed this? Thanks or merci beaucoup. Greetings Martin.Wismer. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations