[dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.

Vincent Levigneron vincent.levigneron at afnic.fr
Mon May 4 20:22:14 UTC 2020


Hi all, I'm on it. Sorry to be so brief in this message, we have to fix
it. New zones with new RRSIG have just been released, It should be
better now.

le 04 mai, Viktor Dukhovni a ?crit :
> On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote:
> 
> > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. 
> > failed since about 4 hours.
> 
> Indeed, there does seem to be a problem with expired DS RR signatures.
> A random sample of 1000 .fr child domains (out of 398,564 total known
> to me signed .fr domains) returns DS lookup ServFail for 205 of them.
> 
> The associated RRSIG expiration times are:
> 
>         204 20200504145605
>           1 20200504174835
> 
> We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so
> the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are
> now expired, affecting ~80k signed domains.
> 
> > Could anybody please fix this?
> 
> I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC
> folks are on this list.
> 
> > Does anybody else also noticed this?
> 
> Yes.  See above.
> 
> -- 
>     Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 

-- 
	Vincent Levigneron  A.F.N.I.C.  Vincent.Levigneron at afnic.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200504/9e937a0b/attachment.sig>


More information about the dns-operations mailing list