[dns-operations] Report on recent signature expiry in IP6.ARPA

Patrik Wallström pawal at blipp.com
Wed May 25 07:49:38 UTC 2011


First of all, thank you for the report!

On May 23, 2011, at 4:41 PM, Dave Knight wrote:

> Signer Failure
> ICANN's signing infrastructure for IP6.ARPA is based on a distributed set of signers running OpenDNSSEC version 1.0. At any time only one host is designated as the active signer. OpenDNSSEC state is replicated between machines in order to facilitate manual fail-over. Private key material is stored only on HSMs.
> OpenDNSSEC stores state relating to the ongoing process of signing zones. At some point between 2011-05-08 03:26 UTC and 2011-05-08 06:25 UTC the active signer's retained state for the IP6.ARPA zone appears to have become corrupted. Due to the corrupted state, successive signer runs did not produce a signed zone, and hence no updated signatures were published following that time. The root cause of the corruption has not yet been precisely identified.

Do you know which files were corrupted? Was this on the "master" machine, or how do you perform the file replication?

More information about the dns-operations mailing list