[dns-operations] DNSSEC signing bugfix in Knot DNS 2.9.5 (was: DNSSEC Validation Failures for RIPE NCC Zones)

Petr Špaček petr.spacek at nic.cz
Mon May 25 09:16:39 UTC 2020


On 22. 05. 20 14:22, Anand Buddhdev wrote:
> Dear colleagues,
> 
> Yesterday afternoon (21 May 2020), our DNSSEC signer rolled the Zone Signing Keys (ZSKs) of all the zones we operate. Unfortunately, a bug in the signer caused it to withdraw the old ZSKs soon after the new keys began signing the zones.
> 
> Validating resolvers may have experienced some failures if they had cached signatures made by the old ZSKs.
> 
> We apologise for any operational problems this may have caused. We are looking at the issue with the developers of our Knot DNS signer to prevent such an occurrence in the future.

Knot DNS 2.9.5 with fix for this particular problem was released and we encourage all users encouraged to upgrade.

Full release announcement:
https://lists.nic.cz/pipermail/knot-dns-users/2020-May/001815.html

The bug sometimes caused automatic key roll-overs to be finished too early, leading to temporary DNSSEC validation failures.

More detailed problem description + workaround:
https://lists.nic.cz/pipermail/knot-dns-users/2020-May/001813.html

We apologize to everyone affected.

-- 
Petr Špaček  @  CZ.NIC


More information about the dns-operations mailing list