The .SE incident on February 4, 2022

Ulrich Wisser ulrich at wisser.se
Thu Feb 10 15:40:04 UTC 2022 

The .SE incident on February 4, 2022

Of course, we take this incident very seriously. To ensure the continued robust operation of the .se zone, we are carefully analysing the incident, and how it could have occurred.

As soon as we have all the facts, we will get back with a full account of what happened, together with the measures we will take to avoid a recurrence of the problem.

What we know at the moment is that:

●  An error occurred in our signing solution and created incorrect DNSSEC signatures for .se domains/zones.
●  The .nu zone was completely unaffected by this error.
●  The error began on Friday morning with the .se zone file which was published at approximately 10:20 UTC+1.
(.se distributes/publishes a new zone file every hour, the same applies for .nu).

The first affected .se zone file had serial number 2022020410. The domains that have incorrect DNSSEC signatures in this zone file have the same error in the subsequent zone file.

●  The last incorrectly distributed .se zone file was published at approx. 15:20 UTC+1 and had the serial number 2022020415. A total of 6 incorrect zone files were distributed on Friday, February 4 (see below).
●  Distribution of both the .se and .nu zones was shut down at approx. 15:45 UTC+1 (on February 4).
●  The correct .se zone file was published with the serial number 2022020418 and distributed around 22:30 UTC+1 (on February 4).
Our current assessment of the total number of domains with errors, and the number of affected (see IMPACTED in table below, queries from validating resolvers fail) domains per zone file are the following:

 

Serial

Total records

DS Failures

NSEC Failures

Total Failures

Total Domains with signature failures

2022020410

8715922

426

795

1221

1220

2022020411

8716280

1051

1797

2848

2845

2022020412

8716543

1658

2797

4455

4447

2022020413

8716677

2352

4011

6363

6345

2022020414

8717078

2908

4957

7865

7841

2022020415

8717397

3429

5944

9373

9345

 

 

We have categorized the failures in six categories and made an assessment of the impact on resolution

 

A

No DS record

Correct signed NSEC record

Domain works as expected

B

No DS record

Incorrect signed NSEC record

Domain impacted

C

Correct signed DS record

Correct signed NSEC record

Domain works as expected

D

Correct signed DS record

Incorrect signed NSEC record

Domain works as expected

E

Incorrect signed DS record

Correct signed NSEC record

Domain impacted

F

Incorrect signed DS record

Incorrect signed NSEC record

Domain impacted

 

 

Serial

A

B

C

D

E

F

IMPACTED

2022020410

599459

354

802944

440

425

1

780

2022020411

599050

786

801787

1008

1048

3

1837

2022020412

598677

1211

800615

1578

1650

8

2869

2022020413

598157

1747

799263

2246

2334

18

4099

2022020414

597806

2148

798190

2785

2884

24

5056

2022020415

597444

2564

797108

3352

3401

28

5993

 

Today we seek guidance from the community on the correctness of this assessment.

 

Kind regards

 

Ulrich

 

-- 

Ulrich Wisser
Senior DNS Expert

The Swedish Internet Foundation
Mobile: +46 704 467 893
https://internetstiftelsen.se/dns-labs/ <https://internetstiftelsen.se/dns-labs/>
 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220210/f5589135/attachment.html>

More information about the dns-operations mailing list