ru tld down?

• Previous message (by thread): ru tld down?
• Next message (by thread): ru tld down?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Given “MUST NOT” is not in RFC 4034, Appendix B, I’d take this with a grain
of salt. Appendix B has a “NOT RECOMMENDED” but that applies to using RSA/MD5
keys.

Key id collisions are part and parcel of DNSSEC.  In BIND we reject collisions
when generating new keys so we don’t have to deal with multiple keys with the
same key id and algorithm when signing.  The validator handles them however.
They do make re-signing more complicated (you have to verify the old signature
against each key with a matching ID if you want to just deal with the signatures
from a particular key or just re-sign with all keys with the same key id).  Your
key store also needs to be able to handle collisions.

Mark
 
> On 8 Feb 2024, at 05:58, Töma Gavrichenkov <ximaera at gmail.com> wrote:
> 
> Peace,
> 
> TWIMC: the .ru TLD has issued a post mortem. A tl;dr version:
> 
> After a new key was crafted during an ordinary key update process, its key tag hash-collided with some other key, and due to a violation of the MUST NOT clause in the RFC 4034, Appendix B, the wrong key was deployed to the system.
> 
> --
> Töma
> 
> On Wed, 31 Jan 2024, 9:59 am Bill Woodcock, <woody at pch.net> wrote:
> >>> On Tue, Jan 30, 2024 at 8:11 AM Bill Woodcock <woody at pch.net> wrote:
> >>> Not exactly down…  they just busted their DNSSEC, or their domain got hijacked or something.  Bad DNSKEY records.
> >> 
> >> On Jan 31, 2024, at 06:34, Eric Kuhnke <eric.kuhnke at gmail.com> wrote:
> >> Not necessarily saying these are related, but given the current geopolitical situation, not beyond the realm of possibility that this is the result of 'something else' gone wrong.
> 
> Phil Kulin posted a more specific timeline on dns-ops:
> 
> > Begin forwarded message:
> > 
> > From: Phil Kulin <schors at gmail.com>
> > Subject: Re: [dns-operations] .RU zone failed ZSK rotation
> > Date: January 31, 2024 at 03:34:40 GMT+1
> > To: Sergey Myasoedov <s at netartgroup.com>
> > Cc: dns-operations at lists.dns-oarc.net
> > 
> > Timeline:
> > 2024-01-30 12:29:44 UTC: Last correct answer before outage (SOA SN:
> > 4058855): https://dnsviz.net/d/ru/ZbjruA/dnssec/
> > 2024-01-30 15:27:27 UTC: First bad answer (SOA SN: 4058857):
> > https://dnsviz.net/d/ru/ZbkVXw/dnssec/
> > 2024-01-30 17:27:35 UTC: Resigning attempt (SOA SN: 4058857 and
> > 4058858): https://dnsviz.net/d/ru/Zbkxhw/dnssec/
> > 2024-01-30 17:59:46 UTC: Recovering process started (SOA SN: 4058857
> > and 4058857 and 4058858): https://dnsviz.net/d/ru/Zbk5Eg/dnssec/
> > 2024-01-30 19:07:29 UTC: First completely good answer (SOA SN:
> > 4058856): https://dnsviz.net/d/ru/ZblI8Q/dnssec/
> 
> There’s no reason to think that any external parties influenced this.  Ockham’s razor.
> 
> So many euphemisms suggest themselves in a situation like this…  Own-goal, one-car-accident, etc.  Except that we all know that one small thing overlooked and we’ll be in their shoes tomorrow.  All geopolitics aside, my empathy to the .RU operator.
> 
>                                 -Bill
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

• Previous message (by thread): ru tld down?
• Next message (by thread): ru tld down?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]