ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: irtf.org DNSSEC signatures (partly) expired

2015-11-07 15:58:57
from [Viktor Dukhovni] [Permanent Link] 
On Sat, Nov 07, 2015 at 01:29:48PM -0800, Glen wrote:


I apologize for the noise and confusion.  Mr Dukhovni did not address
his email to the IETF list; however, he did send his email with a
manually-configured Reply-to: header set to the list.  I should have
noticed that when replying.

At any rate, DNS for the IRTF is not down, it does appear to be
functioning correctly, and other test sites confirm it.  The site
referenced in Mr. Dukhovni's email, dataviz.net, appeared to have been
caching old results.


For the record, the dnsviz.net results were quite fresh, and all
the nameservers except the master were returing "bogus" results
with expired signatures.  With 5 out of 6 nameservers in that state,
most DNS lookups were failing for any validating stub or recursive
nameservers.

Dnsviz links and associated timestamps for the outage are:

    http://dnsviz.net/d/irtf.org/VjpVPA/dnssec/         2015-11-04 18:58:04 UTC
    http://dnsviz.net/d/irtf.org/VjqI6g/dnssec/         2015-11-04 22:38:34 UTC 
    http://dnsviz.net/d/irtf.org/Vjr5Wg/dnssec/         2015-11-05 06:38:18 UTC
    http://dnsviz.net/d/irtf.org/VjtpxA/dnssec/         2015-11-05 14:37:56 UTC
    http://dnsviz.net/d/irtf.org/VjvaWw/dnssec/         2015-11-05 22:38:19 UTC
    http://dnsviz.net/d/irtf.org/VjxKwA/dnssec/         2015-11-06 06:37:52 UTC
    http://dnsviz.net/d/irtf.org/Vjy7Yg/dnssec/         2015-11-06 14:38:26 UTC
    http://dnsviz.net/d/irtf.org/Vj0rxA/dnssec/         2015-11-06 22:37:56 UTC
    http://dnsviz.net/d/irtf.org/Vj2cYQ/dnssec/         2015-11-07 06:38:25 UTC
    http://dnsviz.net/d/irtf.org/Vj4MxQ/dnssec/         2015-11-07 14:37:57 UTC
    http://dnsviz.net/d/irtf.org/Vj5ihg/dnssec/         2015-11-07 20:43:50 UTC

with only the master nameserver showing valid signatures at those times.

After the zone refresh:

    http://dnsviz.net/d/irtf.org/Vj5rsA/dnssec/

the timestamp is "2015-11-07 21:22:56 UTC" with all nameservers
showing valid signatures.

If we look back just before the outage then all is well at:

    http://dnsviz.net/d/irtf.org/VjnfOA/dnssec/         2015-11-04 10:34:32 UTC

then the only hint of trouble is a possibly transient problem
fetching the DNSKEY RRset from the master.

Another 8 hours before that:

    http://dnsviz.net/d/irtf.org/VjlvmA/dnssec/         2015-11-04 02:38:16 UTC

all looks well. Though both then and now a 1 year signature validity
feels a bit too long to me.  And with re-signing so infrequent, it
is difficult to ensure that it works correctly.

-- 
        Viktor.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IESG Area Structure and Last night's missing question, Melinda Shore
Next by Date:  Re: irtf.org DNSSEC signatures (partly) expired, Randy Bush
Previous by Thread:  Re: irtf.org DNSSEC signatures (partly) expired, Glen
Next by Thread:  Re: irtf.org DNSSEC signatures (partly) expired, Randy Bush
Indexes:  [Date] [Thread] [Top] [All Lists]