Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
Thank you Thomas, Well, we had around 12% of the 800 000 RRSIG records that expired today. While it should not happen (I'm still looking to find out what went wrong) because signatures are supposed to be spread over time in the .fr zone to avoid to re-sign lot's of them at the same time. Our monitoring system did not detect this case while it is supposed to be addressed. I just found out that a bug was introduced in it recently when I worked on the algorithm rollover from RSA to ECDSA. We had to modify many configurations, scripts, processes during this transition and it seems I missed something :-/ The zone has been re-generated and records with signatures close to expire have been re-signed. Thank you for all the alerts I received from many of you, that allowed to fix it as fast as possible (it could had been better, but Murphy's laws...). Best regards, Vincent le 04 mai, Thomas Dupas via dns-operations a ?crit : > Date: Mon, 4 May 2020 20:31:54 + > From: Thomas Dupas > To: "dns-operati...@dns-oarc.net" , > "dns-operations@lists.dns-oarc.net" > Subject: Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain > fr. > > I'll leave it to Vincent/Afnic to answer on this more extensively once there > is more clarity, but we noticed it as well ~3 hours ago for dnsbelgium.fr . > Mail + text message has been sent to Vincent and his colleagues at the time, > they were looking into it. > I've just been in contact with him again, to be sure he knew. > They're aware; and working on it, would let them work on the issue at this > phase instead of tracking the various channels. > > Br, > > Thomas > > On 04/05/2020, 22:11, "dns-operations on behalf of Viktor Dukhovni" > > wrote: > > On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote: > > > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > > failed since about 4 hours. > > Indeed, there does seem to be a problem with expired DS RR signatures. > A random sample of 1000 .fr child domains (out of 398,564 total known > to me signed .fr domains) returns DS lookup ServFail for 205 of them. > > The associated RRSIG expiration times are: > > 204 20200504145605 > 1 20200504174835 > > We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so > the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are > now expired, affecting ~80k signed domains. > > > Could anybody please fix this? > > I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC > folks are on this list. > > > Does anybody else also noticed this? > > Yes. See above. > > -- > Viktor. > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operationsdata=02%7C01%7Cthomas.dupas%40dnsbelgium.be%7C4f03a38e053a4d3cc79b08d7f0675d75%7C695195dec0cb447892042a861e60e59c%7C0%7C0%7C637242199052215789sdata=7N%2BVPpdBP%2B4ryATNP5qOW44TuugKezsocgTxkTd5yks%3Dreserved=0 > > > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations -- Vincent Levigneron A.F.N.I.C. vincent.levigne...@afnic.fr signature.asc Description: PGP signature ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
--- Begin Message --- I'll leave it to Vincent/Afnic to answer on this more extensively once there is more clarity, but we noticed it as well a few hours ago for dnsbelgium.fr . Mail + text message has been sent to Vincent and his colleagues at the time, they were looking into it. I've been in contact with him again ~30 min ago, to be sure he knew. They're aware; and working on it, would let them work on the issue at this phase instead of tracking the various channels. Br, Thomas From: dns-operations on behalf of Viktor Dukhovni Sent: Monday, May 4, 2020 10:23 PM To: dns-operati...@dns-oarc.net Subject: Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr. On Mon, May 04, 2020 at 04:01:41PM -0400, Viktor Dukhovni wrote: > On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote: > > > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > > failed since about 4 hours. > > Indeed, there does seem to be a problem with expired DS RR signatures. > A random sample of 1000 .fr child domains (out of 398,564 total known > to me signed .fr domains) returns DS lookup ServFail for 205 of them. > > The associated RRSIG expiration times are: > > 204 20200504145605 > 1 20200504174835 All 205 expired DS RRsets from the initial sample now have a DS RRSIG with an expiration time of 20200703184136 (retrieved directly from authoritative .FR servers). So it looks like progress is being made to resolve this. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operationsdata=02%7C01%7Cthomas.dupas%40dnsbelgium.be%7C73c713e6576e4139ef1f08d7f06a7c1f%7C695195dec0cb447892042a861e60e59c%7C0%7C0%7C637242212694976449sdata=3JArEIAOPrXR%2BvtgoP5NchrATDpF%2BQYo5OM7Dzc6wXY%3Dreserved=0 --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
--- Begin Message --- I'll leave it to Vincent/Afnic to answer on this more extensively once there is more clarity, but we noticed it as well ~3 hours ago for dnsbelgium.fr . Mail + text message has been sent to Vincent and his colleagues at the time, they were looking into it. I've just been in contact with him again, to be sure he knew. They're aware; and working on it, would let them work on the issue at this phase instead of tracking the various channels. Br, Thomas On 04/05/2020, 22:11, "dns-operations on behalf of Viktor Dukhovni" wrote: On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote: > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > failed since about 4 hours. Indeed, there does seem to be a problem with expired DS RR signatures. A random sample of 1000 .fr child domains (out of 398,564 total known to me signed .fr domains) returns DS lookup ServFail for 205 of them. The associated RRSIG expiration times are: 204 20200504145605 1 20200504174835 We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are now expired, affecting ~80k signed domains. > Could anybody please fix this? I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC folks are on this list. > Does anybody else also noticed this? Yes. See above. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operationsdata=02%7C01%7Cthomas.dupas%40dnsbelgium.be%7C4f03a38e053a4d3cc79b08d7f0675d75%7C695195dec0cb447892042a861e60e59c%7C0%7C0%7C637242199052215789sdata=7N%2BVPpdBP%2B4ryATNP5qOW44TuugKezsocgTxkTd5yks%3Dreserved=0 --- End Message --- ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
Hi all, I'm on it. Sorry to be so brief in this message, we have to fix it. New zones with new RRSIG have just been released, It should be better now. le 04 mai, Viktor Dukhovni a ?crit : > On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote: > > > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > > failed since about 4 hours. > > Indeed, there does seem to be a problem with expired DS RR signatures. > A random sample of 1000 .fr child domains (out of 398,564 total known > to me signed .fr domains) returns DS lookup ServFail for 205 of them. > > The associated RRSIG expiration times are: > > 204 20200504145605 > 1 20200504174835 > > We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so > the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are > now expired, affecting ~80k signed domains. > > > Could anybody please fix this? > > I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC > folks are on this list. > > > Does anybody else also noticed this? > > Yes. See above. > > -- > Viktor. > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > -- Vincent Levigneron A.F.N.I.C. vincent.levigne...@afnic.fr signature.asc Description: PGP signature ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote: > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > failed since about 4 hours. Indeed, there does seem to be a problem with expired DS RR signatures. A random sample of 1000 .fr child domains (out of 398,564 total known to me signed .fr domains) returns DS lookup ServFail for 205 of them. The associated RRSIG expiration times are: 204 20200504145605 1 20200504174835 We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are now expired, affecting ~80k signed domains. > Could anybody please fix this? I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC folks are on this list. > Does anybody else also noticed this? Yes. See above. -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
On Mon, May 4, 2020 at 3:41 PM Martin Wismer wrote: > Hello, Bonjour, > > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. > failed since about 4 hours. > > Example Domains: > m6replay.fr. > climato-realistes.fr. > langue-au-chat.fr > sully-group.fr > > Could anybody please fix this? > Does anybody else also noticed this? > Thanks or merci beaucoup. Greetings > Martin.Wismer. > Yes, I notice the same. The signature on the DS RRset for these zones (in the .fr parent) has expired (May 4 15:19:46 2020 UTC for the first). Shumon. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.
Hello, Bonjour, I noticed, that the DNSSEC signed Domains under top-Level Domain fr. failed since about 4 hours. Example Domains: m6replay.fr. climato-realistes.fr. langue-au-chat.fr sully-group.fr Could anybody please fix this? Does anybody else also noticed this? Thanks or merci beaucoup. Greetings Martin.Wismer. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations