[dns-operations] .de DNSSEC issue root cause
Mukund Sivaraman
muks at mukund.org
Thu Jun 11 18:50:28 UTC 2026
Hi Jan
On Thu, Jun 11, 2026 at 07:12:29PM +0200, Jan-Piet Mens wrote:
> Final report on the May 5th outage [1], though I do not understand how this
> can happen:
>
> "All three key pairs generated in this way contained the same
> identifiers, including the key tag 33834"
>
> Article in German: [2]
The article in German has an addendum (English translation by Google
Translate):
"Addendum from May 11, 2026: There was no "keytag" collision. Rather,
instead of generating one key pair and storing it on three HSMs, the
software generated three different key pairs – one for each HSM. All
three HSMs were used for signing, but only one had a key that matched
the (pre-)published DNSKEY RR."
>
> -JP
>
> [1] https://blog.denic.de/en/final-report-dns-outage-of-5-may-2026/
> [2] https://blog.denic.de/analyse-des-dns-ausfalls-vom-5-mai-2026/
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mukund
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1528 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20260612/0efd0b71/attachment.sig>
More information about the dns-operations
mailing list