[dns-operations] TLD .fj broken (DNSSEC issue)
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Mar 8 15:06:02 UTC 2022
On Tue, Mar 08, 2022 at 10:23:21AM +0100, Stephane Bortzmeyer wrote:
> Entire TLD down since the DS goes to an unexisting key
> <https://dnsviz.net/d/fj/YicaMA/dnssec/>.
>
> % dig @a.root-servers.net fj ds
> fj. 86400 IN DS 18952 8 2 ( B22F5938AD822A76499A3AC295E061CC07FCE36D7956 E26A4F51AEDE1717F993 )
This had been in place unchanged since at least 2021-03-12, when the TLD
was first signed. (There's a new DS RR matching the KSK now).
> % dig @144.120.146.1 fj dnskey
> fj. 3600 IN DNSKEY 256 3 8 ( ... ) ; ZSK; alg = RSASHA256 ; key id = 24459
> fj. 3600 IN DNSKEY 257 3 8 ( ... ) ; KSK; alg = RSASHA256 ; key id = 12931
> fj. 3600 IN RRSIG DNSKEY 8 1 3600 ( 20220321164811 20220307230005 12931 fj. ... )
There had also been two ZSK rollovers since the TLD was signed, on
2021-09-03 and 2022-03-03, but this was the first KSK rollover.
Apparently, without overlap with the previous KSK, and only a
subsequent parent DS update. :-(
There is now a new DS RR matching the KSK and also a fresh ZSK.
IANA lists:
Technical Contact
Manager Systems & Networks
The University of the South Pacific IT Services
Suva
Fiji
Email: domreg at usp.ac.fj
Voice: +679 323 2117
Is anyone in a position to reach out and help them avoid future issues?
--
Viktor.
More information about the dns-operations
mailing list