nanog mailing list archives

Re: ru tld down?

From: Töma Gavrichenkov <ximaera () gmail com>
Date: Wed, 7 Feb 2024 20:58:08 +0200

Peace,

TWIMC: the .ru TLD has issued a post mortem. A tl;dr version:

After a new key was crafted during an ordinary key update process, its key
tag hash-collided with some other key, and due to a violation of the MUST
NOT clause in the RFC 4034, Appendix B, the wrong key was deployed to the
system.

--
Töma

On Wed, 31 Jan 2024, 9:59 am Bill Woodcock, <woody () pch net> wrote:

On Tue, Jan 30, 2024 at 8:11 AM Bill Woodcock <woody () pch net> wrote:
Not exactly down…  they just busted their DNSSEC, or their domain got

hijacked or something.  Bad DNSKEY records.


On Jan 31, 2024, at 06:34, Eric Kuhnke <eric.kuhnke () gmail com> wrote:
Not necessarily saying these are related, but given the current

geopolitical situation, not beyond the realm of possibility that this is
the result of 'something else' gone wrong.

Phil Kulin posted a more specific timeline on dns-ops:

Begin forwarded message:

From: Phil Kulin <schors () gmail com>
Subject: Re: [dns-operations] .RU zone failed ZSK rotation
Date: January 31, 2024 at 03:34:40 GMT+1
To: Sergey Myasoedov <s () netartgroup com>
Cc: dns-operations () lists dns-oarc net

Timeline:
2024-01-30 12:29:44 UTC: Last correct answer before outage (SOA SN:
4058855): https://dnsviz.net/d/ru/ZbjruA/dnssec/
2024-01-30 15:27:27 UTC: First bad answer (SOA SN: 4058857):
https://dnsviz.net/d/ru/ZbkVXw/dnssec/
2024-01-30 17:27:35 UTC: Resigning attempt (SOA SN: 4058857 and
4058858): https://dnsviz.net/d/ru/Zbkxhw/dnssec/
2024-01-30 17:59:46 UTC: Recovering process started (SOA SN: 4058857
and 4058857 and 4058858): https://dnsviz.net/d/ru/Zbk5Eg/dnssec/
2024-01-30 19:07:29 UTC: First completely good answer (SOA SN:
4058856): https://dnsviz.net/d/ru/ZblI8Q/dnssec/


There’s no reason to think that any external parties influenced this.
Ockham’s razor.

So many euphemisms suggest themselves in a situation like this…  Own-goal,
one-car-accident, etc.  Except that we all know that one small thing
overlooked and we’ll be in their shoes tomorrow.  All geopolitics aside, my
empathy to the .RU operator.

                                -Bill

Current thread:

Re: ru tld down? Töma Gavrichenkov (Feb 07)
- Re: ru tld down? Mark Andrews (Feb 07)
  - Re: ru tld down? Töma Gavrichenkov (Feb 07)
    - Re: ru tld down? Mark Andrews (Feb 08)
- <Possible follow-ups>
- Re: ru tld down? darkdevil (Feb 08)
  - Re: ru tld down? Bjørn Mork (Feb 08)
  - Re: ru tld down? Mark Andrews (Feb 08)
    - Re: ru tld down? Gaurav Kansal via NANOG (Feb 09)
    - Re: ru tld down? Randy Bush (Feb 09)