Service announcement: 8 May 2018

DNSSEC signing failure for 121.in-addr.arpa

Start TimeSaturday, 5 May 2018 03:00 (UTC +10)
End TimeTuesday, 8 May 2018 12:05 (UTC +10)
Duration3 days 9 hours
Services affected

Reverse DNS for 121.in-addr.arpa zone

Description

APNIC was alerted by the community to a DNSSEC signing failure for 121.in-addr.arpa on 08 May 2018. APNIC began investigation at 11:00 08 May 2018 (UTC+10) and detected the zone transfer of 121.in-addr.arpa from our DNSSEC signer to our DNS distribution servers had a “bad zone” transfer status.

Further investigation found the automated ZSK rollover for 121.in-addr.arpa zone was completed as scheduled on 03:00 05 May 2018 (UTC+10). However, the DNSSEC signature for the 121.in-addr.arpa ‘TXT’ resource record indicated it had used the previously active ZSK id 63316 that no longer exists as a DNSKEY. This resulted in an invalid DNSSEC signature being detected for the 121.in-addr.arpa zone which prevented publication of the validly signed zone.

In order to flush the invalid signature data, APNIC incremented the zone serial number of 121.in-addr.arpa from our provisioning master DNS server. This allowed the DNSSEC signer to transfer a new copy of the 121.in-addr.arpa zone and re-sign resource records with the valid ZSK.

The root cause of the DNSSEC signing failure was a previously unknown bug in the signing system, which APNIC is discussing with the supplier of its DNSSEC signing system to prevent this incident from occurring again.

APNIC thanks the community for alerting us to the issue. APNIC is working to improve its monitoring systems to detect DNSSEC signing failures as they occur.

We apologize for the loss of facilities and any inconvenience caused. Should you require assistance in dealing with any problems arising from this outage, please contact the APNIC Helpdesk.