This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC Validation Failures for RIPE NCC Zones
- Previous message (by thread): [dns-wg] DNSSEC Validation Failures for RIPE NCC Zones
- Next message (by thread): [dns-wg] 27 May online RIPE DNS working group session
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Petr Špaček
petr.spacek at nic.cz
Mon May 25 11:21:26 CEST 2020
On 22. 05. 20 14:21, Anand Buddhdev wrote: > Dear colleagues, > > Yesterday afternoon (21 May 2020), our DNSSEC signer rolled the Zone Signing Keys (ZSKs) of all the zones we operate. Unfortunately, a bug in the signer caused it to withdraw the old ZSKs soon after the new keys began signing the zones. > > Validating resolvers may have experienced some failures if they had cached signatures made by the old ZSKs. > > We apologise for any operational problems this may have caused. We are looking at the issue with the developers of our Knot DNS signer to prevent such an occurrence in the future. Knot DNS 2.9.5 with fix for this particular problem was released and we encourage all users to upgrade. Full release announcement: https://lists.nic.cz/pipermail/knot-dns-users/2020-May/001815.html The bug sometimes caused automatic key roll-overs to be finished too early, leading to temporary DNSSEC validation failures. More detailed problem description + workaround: https://lists.nic.cz/pipermail/knot-dns-users/2020-May/001813.html We apologize to everyone affected. -- Petr Špaček @ CZ.NIC
- Previous message (by thread): [dns-wg] DNSSEC Validation Failures for RIPE NCC Zones
- Next message (by thread): [dns-wg] 27 May online RIPE DNS working group session
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]