[dns-operations] DNSSEC validation failures for reverse delegations?

Arth Paulite arth at apnic.net
Mon Dec 10 17:40:31 UTC 2012


Hi All,

Here's the brief report of DNSSEC outage in APNIC over the weekend. We
apologize if this caused any inconvenience.

Our active DNSSEC signer lost connectivity after a switch failure on 7
December 19:00 UTC+10. While the primary DNSSEC signer is offline,
incoming updates on APNIC reverse zones will only reflect on our internal
server. To avoid delay in publishing DNS updates on authoritative DNS
servers, we decided to configure our distribution server to use our
standby DNSSEC signer. While both signer has the same key pool from
previous sync, the monthly automated ZSK roll-over completely changed
their own copies of ZSKs to sign the zone. This will result in validation
failure if  resource records in the cache were still signed by the
previous keys.  

Below are the zones affected by ZSKs changes.

101.in-addr.arpa
103.in-addr.arpa
106.in-addr.arpa
110.in-addr.arpa
111.in-addr.arpa
112.in-addr.arpa
113.in-addr.arpa
114.in-addr.arpa
115.in-addr.arpa
116.in-addr.arpa
117.in-addr.arpa
118.in-addr.arpa
119.in-addr.arpa
120.in-addr.arpa
121.in-addr.arpa
122.in-addr.arpa
123.in-addr.arpa
124.in-addr.arpa
125.in-addr.arpa
126.in-addr.arpa
14.in-addr.arpa
150.in-addr.arpa
153.in-addr.arpa
163.in-addr.arpa
171.in-addr.arpa
175.in-addr.arpa
180.in-addr.arpa
182.in-addr.arpa
183.in-addr.arpa
1.in-addr.arpa
202.in-addr.arpa
203.in-addr.arpa
210.in-addr.arpa
211.in-addr.arpa
218.in-addr.arpa
219.in-addr.arpa
220.in-addr.arpa
221.in-addr.arpa
222.in-addr.arpa
223.in-addr.arpa
27.in-addr.arpa
36.in-addr.arpa
39.in-addr.arpa
42.in-addr.arpa
43.in-addr.arpa
49.in-addr.arpa
58.in-addr.arpa
59.in-addr.arpa
60.in-addr.arpa
61.in-addr.arpa
0.4.2.ip6.arpa
2.0.1.0.0.2.ip6.arpa
3.0.1.0.0.2.ip6.arpa
4.4.1.0.0.2.ip6.arpa
5.4.1.0.0.2.ip6.arpa
8.1.0.0.2.ip6.arpa
9.1.0.0.2.ip6.arpa
a.1.0.0.2.ip6.arpa
b.1.0.0.2.ip6.arpa
c.0.1.0.0.2.ip6.arpa
d.0.1.0.0.2.ip6.arpa
e.0.1.0.0.2.ip6.arpa
f.0.1.0.0.2.ip6.arpa

--

Arth Paulite
APNIC - Infrastructure Services



On 10/12/12 2:25 AM, "Stephane Bortzmeyer" <bortzmeyer at nic.fr> wrote:

>On Sat, Dec 08, 2012 at 03:26:43PM +0100,
> Sebastian Wiesinger <dns-operations at ml.karotte.org> wrote
> a message of 55 lines which said:
>
>> since last night around 0:30 CET I'm getting sporadic validation
>> failures for a hand full of reverse delegation. Not many but a few
>> each hour, from seemingly unrelated delegations:
>
>They're not unrelated, they are all from APNIC.
>
>> Any idea what's going on? I'm not sure it's something interesting
>> but I hadn't had messages like that before and now I get a few every
>> hour.
>
>The problem was also reported on another list but, no, no official
>statement from APNIC.
>_______________________________________________
>dns-operations mailing list
>dns-operations at lists.dns-oarc.net
>https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>dns-jobs mailing list
>https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



More information about the dns-operations mailing list