<div dir="auto"><div dir="auto"><br></div><div dir="auto">> </div><div dir="auto"><br></div><div dir="auto"><br></div><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 11, 2023, 4:30 PM Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org">ietf-dane@dukhovni.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Jul 11, 2023 at 10:24:21PM +0000, Wessels, Duane wrote:<br>
<br>
> Over the weekend, this caused an issue that may have affected the<br>
> ability of some internet users in the region to reach some .com and<br>
> .net domains, as DNSSEC signatures on the site began expiring. The<br>
> issue was resolved by powering off the site’s peering router, causing<br>
> the anycast route announcement to be withdrawn and traffic to be<br>
> directed to other sites.<br>
<br>
I should note that DNSSEC was not the only fallout from outdated zone<br>
files. Some delegations had stale NS records, for which the outdated<br>
nameservers were already returning REFUSED (or outdated answers).<br>
<br>
Consequently, some users unlucky enough to have switched providers or<br>
moved to new NS hosts at the same a provider after the site was cut off<br>
from updates also observed some issues, whether or not DNSSEC happened<br>
to be involved.</blockquote></div></div><div dir="auto"><br></div><div dir="auto">That is true of course, but the magnitude of this event was made much worse by dnssec. The entire COM and NET zones being bogus (including the unsigned delegations) is very different to the few that saw record changes in the prior 1-2 days. </div><div dir="auto"><br></div><div dir="auto">What surprised me was, we saw Unbound persistently caching stale rrsigs and returning servfails for a busy second level domain, even though the majority of alternate nameservers on offer were not stale. </div><div dir="auto"><br></div><div dir="auto">Does Unbound retry another nameserver when it sees a bogus response with expired rrsigs? Does it retry enough to guarantee hitting a good nameserver here?</div><div dir="auto"><br></div><div dir="auto">Gavin</div><div dir="auto"><br></div></div>