[dns-operations] expired signatures in IP6.ARPA

Chris Thompson cet1 at cam.ac.uk
Mon May 23 11:07:35 UTC 2011

On May 16 2011, Joe Abley wrote:

>Hi all,
>As noted earlier on this list (and in private mail by others), there
>were some validation problems for names in the IP6.ARPA domain due to
>expired signatures in the IP6.ARPA zone.
>Initial remedial action has led to fresh signatures in IP6.ARPA serial
>2011022093, relieving the immediate validation difficulties.
>We will commence a full post-mortem tomorrow and will publish an
>incident report including actions to be taken to prevent recurrence.
>Initial observations suggest that this problem was a combination of
>(a) a bug in the deployed signer and (b) a monitoring defect which
>prevented this from being noticed before the signatures expired.

Not meaning to be impatient, but when can we expect the incident

I suppose several of us are wondering "Was it just chance that it
struck IP6.ARPA? Could it equally easily have been IN-ADDR.ARPA?"
Probably a lot more people would have noticed that! - we only got
one report from a local user about reverse IPv6 lookup failing.

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list