AFNIC, which manages the .fr country-code top-level domain, has issued a DNSSEC deployment incident report detailing what happened on February 12 when “the .fr zone becomes inaccessible to any validating resolver outside business hours. The problem concerns a certain type of record (NSEC3) which is not yet monitored, and for this reason our warning system does not report the incident.”
The report includes a step-by-step account of the incident and responses to it, and concludes, “DNSsec is still a complex form of technology, and not all the software layers used in it have yet been tested in production in all of the configurations. It is therefore understandable that a certain number of bugs may still be encountered. The reactivity of the ISC in particular and the sharing of experience feedback by and between registries nevertheless make us feel confident that this stabilisation period will be as short as possible and will not affect the possibilities of large-scale go-live of DNSsec.”
Recent Comments