The .SE incident on February 4, 2022 Of course, we take this incident very seriously. To ensure the continued robust operation of the .se zone, we are carefully analysing the incident, and how it could have occurred. As soon as we have all the facts, we will get back with a full account of what happened, together with the measures we will take to avoid a recurrence of the problem. What we know at the moment is that: * ● An error occurred in our signing solution and created incorrect DNSSEC signatures for .se domains/zones. * ● The .nu zone was completely unaffected by this error. * ● The error began on Friday morning with the .se zone file which was published at approximately 10:20 UTC+1. (.se distributes/publishes a new zone file every hour, the same applies for .nu). The first affected .se zone file had serial number 2022020410. The domains that have incorrect DNSSEC signatures in this zone file have the same error in the subsequent zone file. * ● The last incorrectly distributed .se zone file was published at approx. 15:20 UTC+1 and had the serial number 2022020415. A total of 6 incorrect zone files were distributed on Friday, February 4 (see below). * ● Distribution of both the .se and .nu zones was shut down at approx. 15:45 UTC+1 (on February 4). * ● The correct .se zone file was published with the serial number 2022020418 and distributed around 22:30 UTC+1 (on February 4). Our current assessment of the total number of domains with errors, and the number of affected (see IMPACTED in table below, queries from validating resolvers fail) domains per zone file are the following: Serial Total records DS Failures NSEC Failures Total Failures Total Domains with signature failures 2022020410 8715922 426 795 1221 1220 2022020411 8716280 1051 1797 2848 2845 2022020412 8716543 1658 2797 4455 4447 2022020413 8716677 2352 4011 6363 6345 2022020414 8717078 2908 4957 7865 7841 2022020415 8717397 3429 5944 9373 9345 We have categorized the failures in six categories and made an assessment of the impact on resolution A No DS record Correct signed NSEC record Domain works as expected B No DS record Incorrect signed NSEC record Domain impacted C Correct signed DS record Correct signed NSEC record Domain works as expected D Correct signed DS record Incorrect signed NSEC record Domain works as expected E Incorrect signed DS record Correct signed NSEC record Domain impacted F Incorrect signed DS record Incorrect signed NSEC record Domain impacted Serial A B C D E F IMPACTED 2022020410 599459 354 802944 440 425 1 780 2022020411 599050 786 801787 1008 1048 3 1837 2022020412 598677 1211 800615 1578 1650 8 2869 2022020413 598157 1747 799263 2246 2334 18 4099 2022020414 597806 2148 798190 2785 2884 24 5056 2022020415 597444 2564 797108 3352 3401 28 5993 Today we seek guidance from the community on the correctness of this assessment. Kind regards Ulrich -- Ulrich Wisser Senior DNS Expert The Swedish Internet Foundation Mobile: +46 704 467 893 https://internetstiftelsen.se/dns-labs/
participants (1)
-
Ulrich Wisser