[Dnssec-deployment] GI signatures expired

Matthew Pounsett mpounsett at ca.afilias.info
Mon Jan 3 16:43:44 EST 2011

On 2011/01/03 at 10:48, Chris Thompson wrote: 

> Critical RRSIGs (on particlar, those on the DNSKEY RRset) in the GI (Gibraltar) TLD seem to have expired at 2011-01-03 11:58:07, i.e. nearly 4 hours ago now.

This was corrected at around 19:45 UTC.

A configuration option had the unexpected side-effect that a regularly scheduled re-signing doesn't happen until the first update to the zone after the re-signing event is scheduled.  This, combined with the fact that the gi. zone hasn't seen an update in several days, means that the re-signing on the 1st of the month for that zone didn't happen.  No other zones we manage were affected.

We caused a serial number advance on the master which has brought everything back in line, and we're working on a permanent fix to prevent this from happening again.

Unfortunately, our internal monitoring for this zone did not catch the issue before it was reported to us in email.  A fix is going in place for that as well.

On 2011/01/03, at 14:22, Paul Hoffman wrote:

> Chris' original message was about a signature that was already expired. Thus, it's not "naming and shaming" as much as a warning to resolver operators *and* a note about deployment issues.

It's still generally considered polite to notify the SOA RNAME and allow the operator to make whatever public statement is necessary.  Regardless of the intent, public posting first looks like naming and shaming to many people, as is clear from the comments I've received off-list.

In our case, any DNS-related email to the RNAME results in an immediate escalation to someone in our DNS ops group, so this is a very reliable way to report issues.


More information about the Dnssec-deployment mailing list