[dns-operations] TLD .fj broken (DNSSEC issue)

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Mar 8 15:06:02 UTC 2022


On Tue, Mar 08, 2022 at 10:23:21AM +0100, Stephane Bortzmeyer wrote:

> Entire TLD down since the DS goes to an unexisting key
> <https://dnsviz.net/d/fj/YicaMA/dnssec/>.
> 
> % dig @a.root-servers.net fj ds
> fj.			86400 IN DS 18952 8 2 ( B22F5938AD822A76499A3AC295E061CC07FCE36D7956 E26A4F51AEDE1717F993 )

This had been in place unchanged since at least 2021-03-12, when the TLD
was first signed.  (There's a new DS RR matching the KSK now).

> % dig @144.120.146.1 fj dnskey
> fj.			3600 IN	DNSKEY 256 3 8 ( ... ) ; ZSK; alg = RSASHA256 ; key id = 24459
> fj.			3600 IN	DNSKEY 257 3 8 ( ... ) ; KSK; alg = RSASHA256 ; key id = 12931
> fj.			3600 IN	RRSIG DNSKEY 8 1 3600 ( 20220321164811 20220307230005 12931 fj.  ... )

There had also been two ZSK rollovers since the TLD was signed, on
2021-09-03 and 2022-03-03, but this was the first KSK rollover.
Apparently, without overlap with the previous KSK, and only a
subsequent parent DS update. :-(

There is now a new DS RR matching the KSK and also a fresh ZSK.

IANA lists:

    Technical Contact
    Manager Systems & Networks
    The University of the South Pacific IT Services
    Suva
    Fiji
    Email: domreg at usp.ac.fj
    Voice: +679 323 2117

Is anyone in a position to reach out and help them avoid future issues?

-- 
    Viktor.


More information about the dns-operations mailing list