[dns-operations] .RU zone failed ZSK rotation

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Jan 31 08:51:16 UTC 2024


On Wed, Jan 31, 2024 at 04:34:40AM +0200,
 Phil Kulin <schors at gmail.com> wrote 
 a message of 45 lines which said:

> Timeline:

Thanks.

I'm not convinced that the subject of this thread is useful. The chain
of keys was always correct (unlike many DNSSEC problems, the DS, and
DNSKEY were always in sync), the problem being that ZSK 52263 produced
invalid signatures.

Two hypothesis:

1) Something strange in this specific key broke the signatures (funny
but unlikely)

2) The signing system had a sudden problem. Note that .ru went back,
not only to the the previous ZSK but also to a previous zone, and the
SOA serial (4058856) did not change since (it changed every ~ two
hours before). It is possible that they cannot sign anymore.

Note: there will be a short talk about this incident in FOSDEM
(Brussels) on saturday, either at the DNS devroom or during the
lightning talks.


More information about the dns-operations mailing list