New Zealand registrar of the Internet, responsible for the domain zone “NZ “, warned about incident , which arose massive failures in the resolution of domain names in the zone” .nz “and 15 related secondary zones, such as” Co.nz “and” Net.nz “. The reason for the failure was the error made in the rotation of KSK key (KEY Signing Key) used for the digital signature of DNSKEY records containing the keys for the signature of the domain zone (ZSK, Zone Signing Key). After the incident on the DNS servers using dnssec to verify the reliability of the data, all domains in the zone “.nz” ceased to be determined (attempts “(attempts Definitions leads to the server server returning Servfail).
The Densec Densec Densec Densec Densec Densec Donsec Densec and since then annual keys have turned into routine. This year, the rotation was performed in the usual mode, but the administrators did not take into account that at the end of last year a new information system of the registrar was introduced, in which the keys format was slightly different from the past and this difference was not detected during testing and integrating the new platform. Administrators did not take into account the presence of differences and did not previously test the rotation process in the new conditions, which led to the fact that when determining the names on the DNS servers, a check of digital signatures using the KSK switch of the root zone ceased to undergo.
The problem is aggravated by the fact that erroneous records with keys were settled in cache-servers and for the operational resumption of normal work administrators of recursive servers need to manually clean the cache (usually enough restarting the DNS server). Otherwise, in order to resume the definition of domains “.nz”, it is necessary to wait for the explosion of the DNSSEC records, the lifestyle of which for the zone “.nz” was set at 48 hours (the incident occurred in the evening of May 29, so for the expiration of the recording time you will have to wait more than a day) .