[dns-operations] .de DNSSEC issue root cause
Klaus Malorny
Klaus.Malorny at knipp.de
Fri Jun 12 07:37:50 UTC 2026
On 11.06.26 20:50, Mukund Sivaraman wrote:
> Hi Jan
>
> On Thu, Jun 11, 2026 at 07:12:29PM +0200, Jan-Piet Mens wrote:
>> Final report on the May 5th outage [1], though I do not understand how this
>> can happen:
>>
>> "All three key pairs generated in this way contained the same
>> identifiers, including the key tag 33834"
>>
>> Article in German: [2]
>
> The article in German has an addendum (English translation by Google
> Translate):
>
> "Addendum from May 11, 2026: There was no "keytag" collision. Rather,
> instead of generating one key pair and storing it on three HSMs, the
> software generated three different key pairs – one for each HSM. All
> three HSMs were used for signing, but only one had a key that matched
> the (pre-)published DNSKEY RR."
>
>>
>> -JP
Hi,
this wording puzzles me a bit. It sounds like that two of the keys
actually did not match the keytag, as the keytag is not a random number,
but calculated from the key itself (and the domain name and parameters).
But actually, this detail is quite irrelevant. At the end, the whole
issue sounds like the occurrence of Murphy's law.
Regards,
Klaus
--
___________________________________________________________________________
| |
| knipp | Knipp Medien und Kommunikation GmbH
------- Technologiepark
Martin-Schmeißer-Weg 9
44227 Dortmund
Geschäftsführer: Registereintrag:
Dietmar Knipp, Elmar Knipp Amtsgericht Dortmund, HRB 13728
More information about the dns-operations
mailing list