[dns-operations] DNSSEC Signatures failed in Top-Level Domain fr.

Vincent Levigneron vincent.levigneron at afnic.fr
Mon May 4 22:28:03 UTC 2020

Thank you Thomas,

Well, we had around 12% of the 800 000 RRSIG records that expired today.
While it should not happen (I'm still looking to find out what went
wrong) because signatures are supposed to be spread over time in the .fr
zone to avoid to re-sign lot's of them at the same time.

Our monitoring system did not detect this case while it is supposed to be
addressed. I just found out that a bug was introduced in it recently when I
worked on the algorithm rollover from RSA to ECDSA. We had to modify
many configurations, scripts, processes during this transition and it
seems I missed something :-/

The zone has been re-generated and records with signatures close to
expire have been re-signed.

Thank you for all the alerts I received from many of you, that allowed to
fix it as fast as possible (it could had been better, but Murphy's

Best regards,


le 04 mai, Thomas Dupas via dns-operations a ?crit :
> Date: Mon, 4 May 2020 20:31:54 +0000
> From: Thomas Dupas <thomas.dupas at dnsbelgium.be>
> To: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>,
>  "dns-operations at lists.dns-oarc.net" <dns-operations at lists.dns-oarc.net>
> Subject: Re: [dns-operations] DNSSEC Signatures failed in Top-Level Domain
>  fr.
> I'll leave it to Vincent/Afnic to answer on this more extensively once there is more clarity, but we noticed it as well ~3 hours ago for dnsbelgium.fr .
> Mail + text message has been sent to Vincent and his colleagues at the time, they were looking into it.
> I've just been in contact with him again, to be sure he knew.
> They're aware; and working on it, would let them work on the issue at this phase instead of tracking the various channels.
> Br,
> Thomas
> On 04/05/2020, 22:11, "dns-operations on behalf of Viktor Dukhovni" <dns-operations-bounces at dns-oarc.net on behalf of ietf-dane at dukhovni.org> wrote:
>     On Mon, May 04, 2020 at 09:35:26PM +0200, Martin Wismer wrote:
>     > I noticed, that the DNSSEC signed Domains under top-Level Domain fr. 
>     > failed since about 4 hours.
>     Indeed, there does seem to be a problem with expired DS RR signatures.
>     A random sample of 1000 .fr child domains (out of 398,564 total known
>     to me signed .fr domains) returns DS lookup ServFail for 205 of them.
>     The associated RRSIG expiration times are:
>             204 20200504145605
>               1 20200504174835
>     We can estimate the standard-deviation at ~sqrt(n*p*q) or ~13, so
>     the 3-sigma interval is roughly 16% to 24% of the DS RRSIGs are
>     now expired, affecting ~80k signed domains.
>     > Could anybody please fix this?
>     I sent a Twitter message to "Vincent Levigneron", but likely some AFNIC
>     folks are on this list.
>     > Does anybody else also noticed this?
>     Yes.  See above.
>     -- 
>         Viktor.
>     _______________________________________________
>     dns-operations mailing list
>     dns-operations at lists.dns-oarc.net
>     https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.dns-oarc.net%2Fmailman%2Flistinfo%2Fdns-operations&data=02%7C01%7Cthomas.dupas%40dnsbelgium.be%7C4f03a38e053a4d3cc79b08d7f0675d75%7C695195dec0cb447892042a861e60e59c%7C0%7C0%7C637242199052215789&sdata=7N%2BVPpdBP%2B4ryATNP5qOW44TuugKezsocgTxkTd5yks%3D&reserved=0

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

	Vincent Levigneron  A.F.N.I.C.  Vincent.Levigneron at afnic.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20200505/bb6a6708/attachment-0001.sig>

More information about the dns-operations mailing list