APNIC's in-addr.arpa zones were bogus

Damick, Jeffrey jdamick at amazon.com
Thu Aug 25 18:42:40 UTC 2022 

We also noticed this change, was this a rollover mistake?  It looks like RRSIG on the SOA expired at around 2022-08-25 03:12 (UTC) which correlates to approximately when we saw the event begin.


On 8/25/22, 11:26 AM, "Mitsuru SHIMAMURA" <simamura at iij.ad.jp> wrote:

    Hi,

    I found our DNSSEC validating full service resolver(unbound) prints bellow validation failer logs.

    2022-08-25T12:37:04.808871+09:00 resolver unbound - - - [27541:3] info: validation failure <136.197.63.119.in-addr.arpa. PTR IN>: no keys have a DS with algorithm ECDSAP256SHA256 from 2001:13c7:7002:3000::14 for key 119.in-addr.arpa. while building chain of trust
    2022-08-25T13:50:39.964228+09:00 resolver unbound - - - [27541:5] info: validation failure <148.99.253.202.in-addr.arpa. PTR IN>: no keys have a DS with algorithm ECDSAP256SHA256 from 2001:67c:e0::9 for key 202.in-addr.arpa. while building chain of trust

    Not only 119 and 202.in-addr.arpa zones were bogus, below is list.

    1.in-addr.arpa.
    14.in-addr.arpa.
    27.in-addr.arpa.
    36.in-addr.arpa.
    39.in-addr.arpa.
    42.in-addr.arpa.
    43.in-addr.arpa.
    49.in-addr.arpa.
    58.in-addr.arpa.
    59.in-addr.arpa.
    60.in-addr.arpa.
    61.in-addr.arpa.
    101.in-addr.arpa.
    103.in-addr.arpa.
    106.in-addr.arpa.
    110.in-addr.arpa.
    111.in-addr.arpa.
    112.in-addr.arpa.
    113.in-addr.arpa.
    114.in-addr.arpa.
    115.in-addr.arpa.
    116.in-addr.arpa.
    117.in-addr.arpa.
    118.in-addr.arpa.
    119.in-addr.arpa.
    120.in-addr.arpa.
    121.in-addr.arpa.
    122.in-addr.arpa.
    123.in-addr.arpa.
    124.in-addr.arpa.
    125.in-addr.arpa.
    126.in-addr.arpa.
    150.in-addr.arpa.
    153.in-addr.arpa.
    163.in-addr.arpa.
    171.in-addr.arpa.
    175.in-addr.arpa.
    180.in-addr.arpa.
    182.in-addr.arpa.
    183.in-addr.arpa.
    202.in-addr.arpa.
    210.in-addr.arpa.
    211.in-addr.arpa.
    218.in-addr.arpa.
    219.in-addr.arpa.
    220.in-addr.arpa.
    221.in-addr.arpa.
    222.in-addr.arpa.
    223.in-addr.arpa.

    The last bogus log is logged at 18:45(UTC+9).
    So, we were affected over 6 hours.

    I found the problem after fix.
    And I cannot found dnsviz's analyze at the time.

    Does this outage only affect our network?

    -- 
    Mitsuru SHIMAMURA <simamura at iij.ad.jp>
    Internet Initiative Japan, Inc.

More information about the dns-operations mailing list