[dns-operations] DNSSEC Validation Failures for RIPE NCC Zones

Anand Buddhdev anandb at ripe.net
Fri May 22 12:22:03 UTC 2020

Dear colleagues,

Yesterday afternoon (21 May 2020), our DNSSEC signer rolled the Zone 
Signing Keys (ZSKs) of all the zones we operate. Unfortunately, a bug in 
the signer caused it to withdraw the old ZSKs soon after the new keys 
began signing the zones.

Validating resolvers may have experienced some failures if they had 
cached signatures made by the old ZSKs.

We apologise for any operational problems this may have caused. We are 
looking at the issue with the developers of our Knot DNS signer to 
prevent such an occurrence in the future.

Anand Buddhdev

More information about the dns-operations mailing list