[dns-operations] DNSSEC validation failures for reverse delegations?

Hi All, Here's the brief report of DNSSEC outage in APNIC over the weekend. We apologize if this caused any inconvenience. Our active DNSSEC signer lost connectivity after a switch failure on 7 December 19:00 UTC+10. While the primary DNSSEC signer is offline, incoming updates on APNIC reverse zones will only reflect on our internal server. To avoid delay in publishing DNS updates on authoritative DNS servers, we decided to configure our distribution server to use our standby DNSSEC signer. While both signer has the same key pool from previous sync, the monthly automated ZSK roll-over completely changed their own copies of ZSKs to sign the zone. This will result in validation failure if resource records in the cache were still signed by the previous keys. Below are the zones affected by ZSKs changes. 101.in-addr.arpa 103.in-addr.arpa 106.in-addr.arpa 110.in-addr.arpa 111.in-addr.arpa 112.in-addr.arpa 113.in-addr.arpa 114.in-addr.arpa 115.in-addr.arpa 116.in-addr.arpa 117.in-addr.arpa 118.in-addr.arpa 119.in-addr.arpa 120.in-addr.arpa 121.in-addr.arpa 122.in-addr.arpa 123.in-addr.arpa 124.in-addr.arpa 125.in-addr.arpa 126.in-addr.arpa 14.in-addr.arpa 150.in-addr.arpa 153.in-addr.arpa 163.in-addr.arpa 171.in-addr.arpa 175.in-addr.arpa 180.in-addr.arpa 182.in-addr.arpa 183.in-addr.arpa 1.in-addr.arpa 202.in-addr.arpa 203.in-addr.arpa 210.in-addr.arpa 211.in-addr.arpa 218.in-addr.arpa 219.in-addr.arpa 220.in-addr.arpa 221.in-addr.arpa 222.in-addr.arpa 223.in-addr.arpa 27.in-addr.arpa 36.in-addr.arpa 39.in-addr.arpa 42.in-addr.arpa 43.in-addr.arpa 49.in-addr.arpa 58.in-addr.arpa 59.in-addr.arpa 60.in-addr.arpa 61.in-addr.arpa 0.4.2.ip6.arpa 2.0.1.0.0.2.ip6.arpa 3.0.1.0.0.2.ip6.arpa 4.4.1.0.0.2.ip6.arpa 5.4.1.0.0.2.ip6.arpa 8.1.0.0.2.ip6.arpa 9.1.0.0.2.ip6.arpa a.1.0.0.2.ip6.arpa b.1.0.0.2.ip6.arpa c.0.1.0.0.2.ip6.arpa d.0.1.0.0.2.ip6.arpa e.0.1.0.0.2.ip6.arpa f.0.1.0.0.2.ip6.arpa -- Arth Paulite APNIC - Infrastructure Services On 10/12/12 2:25 AM, "Stephane Bortzmeyer" <bortzmeyer at nic.fr> wrote: >On Sat, Dec 08, 2012 at 03:26:43PM +0100, > Sebastian Wiesinger <dns-operations at ml.karotte.org> wrote > a message of 55 lines which said: > >> since last night around 0:30 CET I'm getting sporadic validation >> failures for a hand full of reverse delegation. Not many but a few >> each hour, from seemingly unrelated delegations: > >They're not unrelated, they are all from APNIC. > >> Any idea what's going on? I'm not sure it's something interesting >> but I hadn't had messages like that before and now I get a few every >> hour. > >The problem was also reported on another list but, no, no official >statement from APNIC. >_______________________________________________ >dns-operations mailing list >dns-operations at lists.dns-oarc.net >https://lists.dns-oarc.net/mailman/listinfo/dns-operations >dns-jobs mailing list >https://lists.dns-oarc.net/mailman/listinfo/dns-jobs