[dns-operations] Someone from Cloudflare here?
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Oct 27 02:08:31 UTC 2020
On Mon, Oct 26, 2020 at 09:01:49PM -0400, John Franklin wrote:
> agrilinks.org. 3600 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
> agrilinks.org. 3600 IN DNSKEY 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
> agrilinks.org. 3600 IN RRSIG DNSKEY 13 2 3600 20201024231704 20200825231704 2371 agrilinks.org. e1Gd3UjvzbN2HWnNrRgzHoeoGEg6+swFF3JKwoF1cTJrda/O2O9J8KbP SBJuWa6T7XjFXs+bXGipIJROwxr3Sw==
Indeed the RRSIG expired on the 24th, and my DANE survey engine has been
failing DNSKEY lookups for your domain since:
https://stats.dnssec-tools.org/explore/?agrilinks.org
FWIW, looking more closely at the data, I see the following key
history, which shows an RSASHA256 KSK from 2018-07-29 to 2020-07-22,
that was rolled over to an ECDSA P256 KSK on 2020-07-22 and monthly
rollovers of the ZSK also cutting over to P256 on 2020-07-22.
Neither have rolled since, so it seems plausible that there's a
provisioning glitch associated with the key rollover:
qname | flags | alg | stime | etime | kid
---------------+-------+-----+------------+------------+------------
agrilinks.org | 257 | 8 | 2018-07-29 | 2020-07-22 | 26428972
agrilinks.org | 257 | 13 | 2020-07-22 | | 486
agrilinks.org | 256 | 8 | 2018-07-29 | 2018-08-24 | 26428971
agrilinks.org | 256 | 8 | 2018-08-22 | 2018-09-23 | 27577745
agrilinks.org | 256 | 8 | 2018-09-21 | 2018-10-23 | 28786093
agrilinks.org | 256 | 8 | 2018-10-21 | 2018-11-22 | 30019333
agrilinks.org | 256 | 8 | 2018-11-20 | 2018-12-22 | 31376994
agrilinks.org | 256 | 8 | 2018-12-20 | 2019-01-21 | 33187171
agrilinks.org | 256 | 8 | 2019-01-18 | 2019-02-19 | 34971114
agrilinks.org | 256 | 8 | 2019-02-18 | 2019-03-21 | 36691748
agrilinks.org | 256 | 8 | 2019-03-20 | 2019-04-21 | 38381210
agrilinks.org | 256 | 8 | 2019-04-18 | 2019-05-21 | 39797099
agrilinks.org | 256 | 8 | 2019-05-18 | 2019-06-20 | 41278717
agrilinks.org | 256 | 8 | 2019-06-17 | 2019-07-20 | 42961557
agrilinks.org | 256 | 8 | 2019-07-18 | 2019-08-19 | 44855339
agrilinks.org | 256 | 8 | 2019-08-17 | 2019-09-18 | 46352803
agrilinks.org | 256 | 8 | 2019-09-15 | 2019-10-18 | 47852963
agrilinks.org | 256 | 8 | 2019-10-15 | 2019-11-17 | 49338606
agrilinks.org | 256 | 8 | 2019-11-15 | 2019-12-17 | 51405954
agrilinks.org | 256 | 8 | 2019-12-15 | 2020-01-15 | 53631391
agrilinks.org | 256 | 8 | 2020-01-13 | 2020-02-15 | 55415629
agrilinks.org | 256 | 8 | 2020-02-12 | 2020-03-16 | 725808556
agrilinks.org | 256 | 8 | 2020-03-14 | 2020-04-15 | 1382135258
agrilinks.org | 256 | 8 | 2020-04-12 | 2020-05-14 | 2010477564
agrilinks.org | 256 | 8 | 2020-05-12 | 2020-06-13 | 2651956230
agrilinks.org | 256 | 8 | 2020-06-11 | 2020-07-13 | 3330283223
agrilinks.org | 256 | 8 | 2020-07-11 | 2020-07-22 | 4024196652
agrilinks.org | 256 | 13 | 2020-07-22 | | 29460111
The rather low KSK (key row id) ("kid") of 486, is due to the fact that
the P256 key in question has been in use as a KSK over the last ~3 years
by ~262,991 distinct domains and is still in use by ~206,413 of them.
So back in July your domain must have been migrated to use the shared
live-signing ECDSA infrastructure, but it seems something did not go
right, or your Cloudflare account has some underlying issue.
--
Viktor.
More information about the dns-operations
mailing list