On Wed, Jan 31, 2024 at 04:34:40AM +0200, Phil Kulin <[email protected]> wrote a message of 45 lines which said:
> Timeline: Thanks. I'm not convinced that the subject of this thread is useful. The chain of keys was always correct (unlike many DNSSEC problems, the DS, and DNSKEY were always in sync), the problem being that ZSK 52263 produced invalid signatures. Two hypothesis: 1) Something strange in this specific key broke the signatures (funny but unlikely) 2) The signing system had a sudden problem. Note that .ru went back, not only to the the previous ZSK but also to a previous zone, and the SOA serial (4058856) did not change since (it changed every ~ two hours before). It is possible that they cannot sign anymore. Note: there will be a short talk about this incident in FOSDEM (Brussels) on saturday, either at the DNS devroom or during the lightning talks. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
