[dns-operations] Problems with signatures in .SE

[Viktor Dukhovni]

On Fri, Feb 04, 2022 at 08:24:31PM +0100, Ulrich Wisser wrote:

> We are experiencing a technical difficulty that is affecting around
> 8000 .se-domains. Services like e-mail and websites connected to these
> domains can’t be used or reached at the moment. In total there are
> 1,49 million .se-domains, and out of those about 8000 are affected.
> We are currently working to fix this problem. We are examining which
> domains are part of the issue and are ensuring that no more will be
> affected.

FWIW, the domains where DS records exist and have valid signatures, the
presence of an incomplete NSEC record signature does not significantly
affect resolution for signed domain, because responses for DS records do
not elicit denial of existence responses, and requests for NS records
return a non-authoritative referral (unsigned).

Thus for signed domains, the problem NSEC records only break NXDOMAIN
responses for names that fall between the signed name and its next
successor.

So the affected live domains are those that either:

    * Are unsigned (no DS RRs) and have an incomplete NSEC RRSIG (PKCS#1
      padded, but not private key signed).
    * Are signed and it is the DS RRSIG that is incomplete.

The snapshot of the zone I looked at (SOA serial 2022020415) had
problems for 2,592 unsigned domains and 3,429 signed domains.

The problem RRSIG inception times ranged over a 5 hour interval from:
20220204081055 to 20220204131054 (the last inception time in that zone
file).  There were 182,007 RRSIGs in that time range of which 9,373
or ~5.14% are "incomplete".

If signing is performed on a cluster of 20 HSMs, one might guess that
one of the 20 HSMs was not operating correctly, performing a silent
noop instead of an in-place "modexp".

-- 
    Viktor.