On 22. 05. 20 14:22, Anand Buddhdev wrote: > Dear colleagues, > > Yesterday afternoon (21 May 2020), our DNSSEC signer rolled the Zone Signing > Keys (ZSKs) of all the zones we operate. Unfortunately, a bug in the signer > caused it to withdraw the old ZSKs soon after the new keys began signing the > zones. > > Validating resolvers may have experienced some failures if they had cached > signatures made by the old ZSKs. > > We apologise for any operational problems this may have caused. We are > looking at the issue with the developers of our Knot DNS signer to prevent > such an occurrence in the future.
Knot DNS 2.9.5 with fix for this particular problem was released and we encourage all users encouraged to upgrade. Full release announcement: https://lists.nic.cz/pipermail/knot-dns-users/2020-May/001815.html The bug sometimes caused automatic key roll-overs to be finished too early, leading to temporary DNSSEC validation failures. More detailed problem description + workaround: https://lists.nic.cz/pipermail/knot-dns-users/2020-May/001813.html We apologize to everyone affected. -- Petr Špaček @ CZ.NIC _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
