Re: [dns-operations] TLD .fj broken (DNSSEC issue)

[Viktor Dukhovni]

On Tue, Mar 08, 2022 at 10:23:21AM +0100, Stephane Bortzmeyer wrote:

> Entire TLD down since the DS goes to an unexisting key
> .
> 
> % dig @a.root-servers.net fj ds
> fj.   86400 IN DS 18952 8 2 ( 
> B22F5938AD822A76499A3AC295E061CC07FCE36D7956 E26A4F51AEDE1717F993 )

This had been in place unchanged since at least 2021-03-12, when the TLD
was first signed.  (There's a new DS RR matching the KSK now).

> % dig @144.120.146.1 fj dnskey
> fj.   3600 IN DNSKEY 256 3 8 ( ... ) ; ZSK; alg = RSASHA256 ; 
> key id = 24459
> fj.   3600 IN DNSKEY 257 3 8 ( ... ) ; KSK; alg = RSASHA256 ; 
> key id = 12931
> fj.   3600 IN RRSIG DNSKEY 8 1 3600 ( 20220321164811 
> 20220307230005 12931 fj.  ... )

There had also been two ZSK rollovers since the TLD was signed, on
2021-09-03 and 2022-03-03, but this was the first KSK rollover.
Apparently, without overlap with the previous KSK, and only a
subsequent parent DS update. :-(

There is now a new DS RR matching the KSK and also a fresh ZSK.

IANA lists:

Technical Contact
Manager Systems & Networks
The University of the South Pacific IT Services
Suva
Fiji
Email: dom...@usp.ac.fj
Voice: +679 323 2117

Is anyone in a position to reach out and help them avoid future issues?

-- 
Viktor.
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations

[dns-operations] TLD .fj broken (DNSSEC issue)

[Stephane Bortzmeyer]

Entire TLD down since the DS goes to an unexisting key
.

% dig @a.root-servers.net fj ds


; <<>> DiG 9.16.22-Debian <<>> @a.root-servers.net fj ds
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21820
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;fj.IN DS

;; ANSWER SECTION:
fj. 86400 IN DS 18952 8 2 (
B22F5938AD822A76499A3AC295E061CC07FCE36D7956
E26A4F51AEDE1717F993 )
fj. 86400 IN RRSIG DS 8 1 86400 (
2022032105 2022030804 9799 .
GV9jHAYa1/THxNVXY8xfd9KpkgfWJH9etKm6d13p95Dp
DI/i8q8gDCYHK3s7+QkQWmwnuhyIajYXbJGpwjpIZFJJ
dUlL6kJyApAbx8p+XvnMRE8IiI7HwjE+SReu4iOVhuXy
sBEDGvdwHjENYes8g7S909FefLFCaBfZ8WVWVBWOOQNY
ueERcBFn6kAUSM8Es5xzt7B0UnivO+dWX6NSXxzVPxTW
8hTsWXoyLle6Qkxti2+4zQJS/UlQYYeSUZbj/bGTlV/j
8z7GdoFngXNwyZXrGxmdqxSvzFUh9/38Idn0xC1HAvFW
4jhDCS1WV9NPiBs0Wx/VG8yMM0KGXbi+Fg== )

;; Query time: 12 msec
;; SERVER: 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30)
;; WHEN: Tue Mar 08 10:22:09 CET 2022
;; MSG SIZE  rcvd: 366

But:

% dig @144.120.146.1 fj dnskey

; <<>> DiG 9.16.22-Debian <<>> @144.120.146.1 fj dnskey
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53588
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 2c82e96a472de66f47f4f4ee62272071a682d2e21408 (good)
;; QUESTION SECTION:
;fj.IN DNSKEY

;; ANSWER SECTION:
fj. 3600 IN DNSKEY 256 3 8 (
AwEAAdpT6o6ustm4WxYhP8Xa6P1+1dvYExn1LyOC9qUX
dbt3BWPok+obi69yRywGD740Aj6AO7To2HXDlLF3YF5c
R1mO5mo6iSTHqNAg4rjE49/BVxjV3KgmEOGFdtiMbAi+
4d6KMPkl+HULwmJkdcu8gkG9cYjBkJ2OUpfvsjaZ47/a
zk+d8ffEd0oN/0dC9lhcaeYOvhJehdGHFemKY3Mk5O1F
Zrww9OF3SOBSrW+C6LPk04/mTji7j6OeIDfFIMvuu0oN
OAqxTlwUuoTeIiHmJZ0jNlKgBgmsTmlRETAEjcDqcGha
wiENI65uRYbx2eRv5k2U5If0ydhMxBLYAcqFEHE=
) ; ZSK; alg = RSASHA256 ; key id = 24459
fj. 3600 IN DNSKEY 257 3 8 (
AwEAAchm/6TsZVKXuzGe+5Kx/7PW2j1jMkctAL+FaWn+
LW28Kzr4KI9XQz2bd1byWdsljsKkW1zMiiLBlxHcmUiK
vv8hIPLwdxwEdutCve9arJNfDyDhCf5SCHenzQwaR3pQ
zQ+QzaTVPQKz9VIfV6u06wGqq4iTo014N2ITs2EtYU0T
bydZ/cOuy2+N5xE1Xi6JrJuwPKSQfi3M3Ojb3SA4EK6f
BaiGM2Ri1DN6OD+5A8Z9R4EihqAtPtkjJI8mqAbmXu+d
krMJVljtaCMlt2tejaqzqfwd4FJQEdFRiEdMwB3sYjsH
+cMn3QJlvlSXm/w174e5Wzvk563TvuPOrLzefQU=
) ; KSK; alg = RSASHA256 ; key id = 12931
fj. 3600 IN RRSIG DNSKEY 8 1 3600 (
20220321164811 20220307230005 12931 fj.
uRN6QJdTyElu51Xzz30KDF8efDUL+RrZwjy4YyPX2YKv
fLJ5ugQm2jA/Js3UteScHJOEzBobYLnWI/jKYqi6/EVX
78KCaqDMZwnkDOVn6FKRUM+oK/FPWFCPWAUQQ6pVWqY3
OiU/GA5yW6f5oD0yyt3K0HIpAnC86lAftGyhHSoeDm4D
EF+yJPJtB07z2/dyIthg8Gtzo9/24yEAgWjhFPa/DNWv
K7jw2/alPUBFMNTIWGba918PJRgJg8G6HQQ4xWqr4xV/
O7gPRk+Wh8/YlfrGdfWoBTax2VMvQGhrBmqTqxwKwaEC
+gpwGasOMSF5g/DujuHSQ0NK7+L67m+wHA== )

;; Query time: 320 msec
;; SERVER: 144.120.146.1#53(144.120.146.1)
;; WHEN: Tue Mar 08 10:22:57 CET 2022
___
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations