[dns-operations] slack.com bogus
Michael Sinatra
michael at brokendns.net
Thu Sep 30 22:31:43 UTC 2021
On 9/30/21 2:42 PM, Viktor Dukhovni wrote:
>> On 30 Sep 2021, at 2:00 pm, Peter van Dijk <peter.van.dijk at powerdns.com> wrote:
>>
>> Judging from dnsviz, a DS was present in the .com zone for slack.com
>> around 15:25 UTC today, and records inside slack.com were correctly
>> signed with the related KSK/ZSK set.
>
> In more detail, it sure looks like they may have deployed their DS RRSet
> prematurely for the first time today (with the domain initially signed and
> working at that time) and then made the mistake of quickly yanking the DS
> records. I see no prior history in the DNSSEC/DANE survey data of DS
> records for slack.com.
As you probably realize, but others may not, yanking the DS records per
se didn't kill them; it was the fact that they yanked the DS records
*and* made the mistake of pulling their DNSKEY and RRSIG records from
their zone.
Given that there are still reports of resolvers out there with cached DS
records, has anyone who may be in contact with the Slack admins advised
them to bring back the DNSKEY records and RRSIGs without bringing back
the DS records? Once the negative cache ttl expires (5 min according to
the SOA minimum), people will start resolving and validating stuff
again, rather than having to force-flush or wait for the 24 hour DS TTL
to expire. (By my calculation, we still have 17 hours to go, vs. 5
minutes.)
michael
More information about the dns-operations
mailing list