[dns-operations] APNIC's in-addr.arpa zones were bogus

Ralf Weber dns at fl1ger.de
Fri Aug 26 11:35:38 UTC 2022


Moin!

On 25 Aug 2022, at 17:26, Mitsuru SHIMAMURA via dns-operations wrote:
> I found our DNSSEC validating full service resolver(unbound) prints bellow validation failer logs.
>
> 2022-08-25T12:37:04.808871+09:00 resolver unbound - - - [27541:3] info: validation failure <136.197.63.119.in-addr.arpa. PTR IN>: no keys have a DS with algorithm ECDSAP256SHA256 from 2001:13c7:7002:3000::14 for key 119.in-addr.arpa. while building chain of trust
>
> 2022-08-25T13:50:39.964228+09:00 resolver unbound - - - [27541:5] info: validation failure <148.99.253.202.in-addr.arpa. PTR IN>: no keys have a DS with algorithm ECDSAP256SHA256 from 2001:67c:e0::9 for key 202.in-addr.arpa. while building chain of trust
>
> Not only 119 and 202.in-addr.arpa zones were bogus, below is list.
I can confirm that I saw similar errors on my resolver (Akamai Cacheserve) between August 25 03:00 UTC and 23:00 UTC

> The last bogus log is logged at 18:45(UTC+9).
>
> So, we were affected over 6 hours.
As said mine lasted longer, but it is doing lots of PTR request as it runs a mail server. It was different networks that were affected over that time frame.

> I found the problem after fix.
Out of curiosity what was the problem?

> And I cannot found dnsviz's analyze at the time.
DNSViz no longer automatically does checking, as the storage and processing requirements were too much for DNS OARC who runs it now. It only does and stores when you ask it on the website.

> Does this outage only affect our network?
No, my guess is that others will also see it when they dig in their logs.

So long
-Ralf
---
Ralf Weber




More information about the dns-operations mailing list