[dns-operations] slack.com bogus

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Sep 30 21:42:50 UTC 2021


> On 30 Sep 2021, at 2:00 pm, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
> 
> Judging from dnsviz, a DS was present in the .com zone for slack.com
> around 15:25 UTC today, and records inside slack.com were correctly
> signed with the related KSK/ZSK set.

In more detail, it sure looks like they may have deployed their DS RRSet
prematurely for the first time today (with the domain initially signed and
working at that time) and then made the mistake of quickly yanking the DS
records.  I see no prior history in the DNSSEC/DANE survey data of DS
records for slack.com.

That speaks to poor planning and/or execution.  Given the poor execution,
it might now not be signed until some operational basics are internalised.

Pity this did not go smoothly for them, a premature rollout can be mildly
inconvenient, but then yanking the DS RRs was definitely a bad call, we may
never find out why that was the decision, but it would be interesting to
find out whether it was a bad management decision or operator error due to
insufficient training...

-- 
	Viktor.





More information about the dns-operations mailing list