[dns-operations] Someone from Cloudflare here?

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Oct 27 02:08:31 UTC 2020


On Mon, Oct 26, 2020 at 09:01:49PM -0400, John Franklin wrote:

> agrilinks.org.		3600	IN	DNSKEY	257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
> agrilinks.org.		3600	IN	DNSKEY	256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
> agrilinks.org.		3600	IN	RRSIG	DNSKEY 13 2 3600 20201024231704 20200825231704 2371 agrilinks.org. e1Gd3UjvzbN2HWnNrRgzHoeoGEg6+swFF3JKwoF1cTJrda/O2O9J8KbP SBJuWa6T7XjFXs+bXGipIJROwxr3Sw==

Indeed the RRSIG expired on the 24th, and my DANE survey engine has been
failing DNSKEY lookups for your domain since:

    https://stats.dnssec-tools.org/explore/?agrilinks.org

FWIW, looking more closely at the data, I see the following key
history, which shows an RSASHA256 KSK from 2018-07-29 to 2020-07-22,
that was rolled over to an ECDSA P256 KSK on 2020-07-22 and monthly
rollovers of the ZSK also cutting over to P256 on 2020-07-22.
Neither have rolled since, so it seems plausible that there's a
provisioning glitch associated with the key rollover:

         qname     | flags | alg |   stime    |   etime    |    kid     
    ---------------+-------+-----+------------+------------+------------
     agrilinks.org |   257 |   8 | 2018-07-29 | 2020-07-22 |   26428972
     agrilinks.org |   257 |  13 | 2020-07-22 |            |        486
     agrilinks.org |   256 |   8 | 2018-07-29 | 2018-08-24 |   26428971
     agrilinks.org |   256 |   8 | 2018-08-22 | 2018-09-23 |   27577745
     agrilinks.org |   256 |   8 | 2018-09-21 | 2018-10-23 |   28786093
     agrilinks.org |   256 |   8 | 2018-10-21 | 2018-11-22 |   30019333
     agrilinks.org |   256 |   8 | 2018-11-20 | 2018-12-22 |   31376994
     agrilinks.org |   256 |   8 | 2018-12-20 | 2019-01-21 |   33187171
     agrilinks.org |   256 |   8 | 2019-01-18 | 2019-02-19 |   34971114
     agrilinks.org |   256 |   8 | 2019-02-18 | 2019-03-21 |   36691748
     agrilinks.org |   256 |   8 | 2019-03-20 | 2019-04-21 |   38381210
     agrilinks.org |   256 |   8 | 2019-04-18 | 2019-05-21 |   39797099
     agrilinks.org |   256 |   8 | 2019-05-18 | 2019-06-20 |   41278717
     agrilinks.org |   256 |   8 | 2019-06-17 | 2019-07-20 |   42961557
     agrilinks.org |   256 |   8 | 2019-07-18 | 2019-08-19 |   44855339
     agrilinks.org |   256 |   8 | 2019-08-17 | 2019-09-18 |   46352803
     agrilinks.org |   256 |   8 | 2019-09-15 | 2019-10-18 |   47852963
     agrilinks.org |   256 |   8 | 2019-10-15 | 2019-11-17 |   49338606
     agrilinks.org |   256 |   8 | 2019-11-15 | 2019-12-17 |   51405954
     agrilinks.org |   256 |   8 | 2019-12-15 | 2020-01-15 |   53631391
     agrilinks.org |   256 |   8 | 2020-01-13 | 2020-02-15 |   55415629
     agrilinks.org |   256 |   8 | 2020-02-12 | 2020-03-16 |  725808556
     agrilinks.org |   256 |   8 | 2020-03-14 | 2020-04-15 | 1382135258
     agrilinks.org |   256 |   8 | 2020-04-12 | 2020-05-14 | 2010477564
     agrilinks.org |   256 |   8 | 2020-05-12 | 2020-06-13 | 2651956230
     agrilinks.org |   256 |   8 | 2020-06-11 | 2020-07-13 | 3330283223
     agrilinks.org |   256 |   8 | 2020-07-11 | 2020-07-22 | 4024196652
     agrilinks.org |   256 |  13 | 2020-07-22 |            |   29460111

The rather low KSK (key row id) ("kid") of 486, is due to the fact that
the P256 key in question has been in use as a KSK over the last ~3 years
by ~262,991 distinct domains and is still in use by ~206,413 of them.

So back in July your domain must have been migrated to use the shared
live-signing ECDSA infrastructure, but it seems something did not go
right, or your Cloudflare account has some underlying issue.

-- 
    Viktor.



More information about the dns-operations mailing list