[dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.

Thomas Dupas thomas.dupas at dnsbelgium.be
Mon May 4 20:31:54 UTC 2020

I'll leave it to Vincent/Afnic to answer on this more extensively once there is more clarity, but we noticed it as well ~3 hours ago for dnsbelgium.fr .
Mail + text message has been sent to Vincent and his colleagues at the time, they were looking into it.
I've just been in contact with him again, to be sure he knew.
They're aware; and working on it, would let them work on the issue at this phase instead of tracking the various channels.



On 04/05/2020, 22:11, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:

    On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote:
    > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. 
    > failed since about 4 hours.
    Indeed, there does seem to be a problem with expired DS RR signatures.
    A random sample of 1000 .fr child domains (out of 398,564 total known
    to me signed .fr domains) returns DS lookup ServFail for 205 of them.
    The associated RRSIG expiration times are:
            204 20200504145605
              1 20200504174835
    We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so
    the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are
    now expired, affecting ~80k signed domains.
    > Could anybody please fix this?
    I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC
    folks are on this list.
    > Does anybody else also noticed this?
    Yes.  See above.
    dns-operations mailing list
    dns-operations at lists.dns-oarc.net

More information about the dns-operations mailing list