[dns-operations] Someone from Cloudflare here?

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Oct 27 02:24:42 UTC 2020

On Mon, Oct 26, 2020 at 09:01:49PM -0400, John Franklin wrote:

> We've been having a problem since late last week (10/24) with a domain
> hosted at CF.   Somehow, the RRSIG covering the DNSKEY record has
> expired.  The DNSKEY record is available at the authoritative NS
> (sima), but ask anyone else and we get back SERVFAIL.  I'm not
> claiming either answer is wrong, just that the entire domain is
> inaccessible until a new RRSIG is generated for the DNSKEY.
> What's the mechanism for resigning a DNSKEY key record?

The signing key in question is managed by CloudFlare, so they would have
to re-sign your zone, but if you're able to make changes to the DS
records as the domain registrant, then your best bet may be to ASAP
delete the DS RRset from .ORG until the issue is resolved.  Of course
the TTL is ~2D, so the effect won't be immediate:

    agrilinks.org. 86400 IN DS 2371 13 2 (
        0bd275d55ccbd29af1ff4c1b88a5e418 )

If Cloudflare can re-sign the zone in a matter of hours, it may be best
to leave the DS RRs alone.

As for takeways, I always recomment monitoring, and in particular to
check that the expiration times of critical (or all) records in your
zone are not "too soon".  For my own zones a nightly check is made for
signatures that would expire in less than 3.14 days both on the primary
server and on all secondaries.

Better to have some lead time to solve a potential problem that to be
fighting an outage.


More information about the dns-operations mailing list