[dns-operations] expired signatures in IP6.ARPA
cet1 at cam.ac.uk
Mon May 23 11:07:35 UTC 2011
On May 16 2011, Joe Abley wrote:
>As noted earlier on this list (and in private mail by others), there
>were some validation problems for names in the IP6.ARPA domain due to
>expired signatures in the IP6.ARPA zone.
>Initial remedial action has led to fresh signatures in IP6.ARPA serial
>2011022093, relieving the immediate validation difficulties.
>We will commence a full post-mortem tomorrow and will publish an
>incident report including actions to be taken to prevent recurrence.
>Initial observations suggest that this problem was a combination of
>(a) a bug in the deployed signer and (b) a monitoring defect which
>prevented this from being noticed before the signatures expired.
Not meaning to be impatient, but when can we expect the incident
I suppose several of us are wondering "Was it just chance that it
struck IP6.ARPA? Could it equally easily have been IN-ADDR.ARPA?"
Probably a lot more people would have noticed that! - we only got
one report from a local user about reverse IPv6 lookup failing.
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations