[dns-operations] DNSSEC Validation Failures for RIPE NCC Zones
anandb at ripe.net
Fri May 22 12:22:03 UTC 2020
Yesterday afternoon (21 May 2020), our DNSSEC signer rolled the Zone
Signing Keys (ZSKs) of all the zones we operate. Unfortunately, a bug in
the signer caused it to withdraw the old ZSKs soon after the new keys
began signing the zones.
Validating resolvers may have experienced some failures if they had
cached signatures made by the old ZSKs.
We apologise for any operational problems this may have caused. We are
looking at the issue with the developers of our Knot DNS signer to
prevent such an occurrence in the future.
More information about the dns-operations