Service announcement: 8 May 2018

DNSSEC signing failure for

Start Time Saturday, 5 May 2018 03:00 (UTC +10)
End Time Tuesday, 8 May 2018 12:05 (UTC +10)
Duration 3 days 9 hours
Services affected

Reverse DNS for zone


APNIC was alerted by the community to a DNSSEC signing failure for on 08 May 2018. APNIC began investigation at 11:00 08 May 2018 (UTC+10) and detected the zone transfer of from our DNSSEC signer to our DNS distribution servers had a “bad zone” transfer status.

Further investigation found the automated ZSK rollover for zone was completed as scheduled on 03:00 05 May 2018 (UTC+10). However, the DNSSEC signature for the ‘TXT’ resource record indicated it had used the previously active ZSK id 63316 that no longer exists as a DNSKEY. This resulted in an invalid DNSSEC signature being detected for the zone which prevented publication of the validly signed zone.

In order to flush the invalid signature data, APNIC incremented the zone serial number of from our provisioning master DNS server. This allowed the DNSSEC signer to transfer a new copy of the zone and re-sign resource records with the valid ZSK.

The root cause of the DNSSEC signing failure was a previously unknown bug in the signing system, which APNIC is discussing with the supplier of its DNSSEC signing system to prevent this incident from occurring again.

APNIC thanks the community for alerting us to the issue. APNIC is working to improve its monitoring systems to detect DNSSEC signing failures as they occur.

We apologize for the loss of facilities and any inconvenience caused. Should you require assistance in dealing with any problems arising from this outage, please contact the APNIC Helpdesk.