This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] post-mortem for ripe.net DNSSEC problem on 1 November 2023

Previous message (by thread): [dns-wg] post-mortem for ripe.net DNSSEC problem on 1 November 2023
Next message (by thread): [dns-wg] DNS-WG at RIPE 87: Call for presentations

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Janos Zsako zsako at nic.hu
Sun Nov 5 15:13:14 CET 2023

Dear Paul,

> Please find below the post mortem for the DNSSEC problem that caused 
> most of RIPE NCC's services to become unavailable yesterday.

Thank you very much for the detailed post-mortem.

> Please reach out if you have any questions or feedback.

I would like to comment on a single item, see below.

> New or changed records were still properly signed (363 of 
> them), which meant that our monitoring, which checks the signature 
> validity of the SOA record at the zone apex, missed this issue.

It may be a good idea to check for the lowest timestamp of signature 
validity (of the RRSIG records) in the zone. We monitor this for .hu 
from the beginning (i.e. since we started signing the zone with DNSSEC).

Best regards,
Janos

Previous message (by thread): [dns-wg] post-mortem for ripe.net DNSSEC problem on 1 November 2023
Next message (by thread): [dns-wg] DNS-WG at RIPE 87: Call for presentations

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]