Re: irtf.org DNSSEC signatures (partly) expired

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, Nov 07, 2015 at 01:29:48PM -0800, Glen wrote:

> I apologize for the noise and confusion.  Mr Dukhovni did not address
> his email to the IETF list; however, he did send his email with a
> manually-configured Reply-to: header set to the list.  I should have
> noticed that when replying.
> 
> At any rate, DNS for the IRTF is not down, it does appear to be
> functioning correctly, and other test sites confirm it.  The site
> referenced in Mr. Dukhovni's email, dataviz.net, appeared to have been
> caching old results.

For the record, the dnsviz.net results were quite fresh, and all
the nameservers except the master were returing "bogus" results
with expired signatures.  With 5 out of 6 nameservers in that state,
most DNS lookups were failing for any validating stub or recursive
nameservers.

Dnsviz links and associated timestamps for the outage are:

    http://dnsviz.net/d/irtf.org/VjpVPA/dnssec/		2015-11-04 18:58:04 UTC
    http://dnsviz.net/d/irtf.org/VjqI6g/dnssec/		2015-11-04 22:38:34 UTC 
    http://dnsviz.net/d/irtf.org/Vjr5Wg/dnssec/		2015-11-05 06:38:18 UTC
    http://dnsviz.net/d/irtf.org/VjtpxA/dnssec/		2015-11-05 14:37:56 UTC
    http://dnsviz.net/d/irtf.org/VjvaWw/dnssec/		2015-11-05 22:38:19 UTC
    http://dnsviz.net/d/irtf.org/VjxKwA/dnssec/		2015-11-06 06:37:52 UTC
    http://dnsviz.net/d/irtf.org/Vjy7Yg/dnssec/		2015-11-06 14:38:26 UTC
    http://dnsviz.net/d/irtf.org/Vj0rxA/dnssec/		2015-11-06 22:37:56 UTC
    http://dnsviz.net/d/irtf.org/Vj2cYQ/dnssec/		2015-11-07 06:38:25 UTC
    http://dnsviz.net/d/irtf.org/Vj4MxQ/dnssec/		2015-11-07 14:37:57 UTC
    http://dnsviz.net/d/irtf.org/Vj5ihg/dnssec/		2015-11-07 20:43:50 UTC

with only the master nameserver showing valid signatures at those times.

After the zone refresh:

    http://dnsviz.net/d/irtf.org/Vj5rsA/dnssec/

the timestamp is "2015-11-07 21:22:56 UTC" with all nameservers
showing valid signatures.

If we look back just before the outage then all is well at:

    http://dnsviz.net/d/irtf.org/VjnfOA/dnssec/		2015-11-04 10:34:32 UTC

then the only hint of trouble is a possibly transient problem
fetching the DNSKEY RRset from the master.

Another 8 hours before that:

    http://dnsviz.net/d/irtf.org/VjlvmA/dnssec/		2015-11-04 02:38:16 UTC

all looks well. Though both then and now a 1 year signature validity
feels a bit too long to me.  And with re-signing so infrequent, it
is difficult to ensure that it works correctly.

-- 
	Viktor.
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]