The .SE incident on February 4, 2022

Of course, we take this incident very seriously. To ensure the continued robust operation of the .se zone, we are carefully analysing the incident, and how it could have occurred.

As soon as we have all the facts, we will get back with a full account of what happened, together with the measures we will take to avoid a recurrence of the problem.

What we know at the moment is that:

• ●  An error occurred in our signing solution and created incorrect DNSSEC signatures for .se domains/zones.
• ●  The .nu zone was completely unaffected by this error.
• ●  The error began on Friday morning with the .se zone file which was published at approximately 10:20 UTC+1.

(.se distributes/publishes a new zone file every hour, the same applies for .nu).

The first affected .se zone file had serial number 2022020410. The domains that have incorrect DNSSEC signatures in this zone file have the same error in the subsequent zone file.

• ●  The last incorrectly distributed .se zone file was published at approx. 15:20 UTC+1 and had the serial number 2022020415. A total of 6 incorrect zone files were distributed on Friday, February 4 (see below).
• ●  Distribution of both the .se and .nu zones was shut down at approx. 15:45 UTC+1 (on February 4).
• ●  The correct .se zone file was published with the serial number 2022020418 and distributed around 22:30 UTC+1 (on February 4).

Our current assessment of the total number of domains with errors, and the number of affected (see IMPACTED in table below, queries from validating resolvers fail) domains per zone file are the following:

 

Serial	Total records	DS Failures	NSEC Failures	Total Failures	Total Domains with signature failures
2022020410	8715922	426	795	1221	1220
2022020411	8716280	1051	1797	2848	2845
2022020412	8716543	1658	2797	4455	4447
2022020413	8716677	2352	4011	6363	6345
2022020414	8717078	2908	4957	7865	7841
2022020415	8717397	3429	5944	9373	9345

 

 

We have categorized the failures in six categories and made an assessment of the impact on resolution

 

A	No DS record	Correct signed NSEC record	Domain works as expected
B	No DS record	Incorrect signed NSEC record	Domain impacted
C	Correct signed DS record	Correct signed NSEC record	Domain works as expected
D	Correct signed DS record	Incorrect signed NSEC record	Domain works as expected
E	Incorrect signed DS record	Correct signed NSEC record	Domain impacted
F	Incorrect signed DS record	Incorrect signed NSEC record	Domain impacted

 

 

Serial	A	B	C	D	E	F	IMPACTED
2022020410	599459	354	802944	440	425	1	780
2022020411	599050	786	801787	1008	1048	3	1837
2022020412	598677	1211	800615	1578	1650	8	2869
2022020413	598157	1747	799263	2246	2334	18	4099
2022020414	597806	2148	798190	2785	2884	24	5056
2022020415	597444	2564	797108	3352	3401	28	5993

 

Today we seek guidance from the community on the correctness of this assessment.

 

Kind regards

 

Ulrich

 

-- 

Ulrich Wisser
Senior DNS Expert

The Swedish Internet Foundation
Mobile: +46 704 467 893
https://internetstiftelsen.se/dns-labs/