5 Nov
2023
5 Nov
'23
3:13 p.m.
Dear Paul,
Please find below the post mortem for the DNSSEC problem that caused most of RIPE NCC's services to become unavailable yesterday.
Thank you very much for the detailed post-mortem.
Please reach out if you have any questions or feedback.
I would like to comment on a single item, see below.
New or changed records were still properly signed (363 of them), which meant that our monitoring, which checks the signature validity of the SOA record at the zone apex, missed this issue.
It may be a good idea to check for the lowest timestamp of signature validity (of the RRSIG records) in the zone. We monitor this for .hu from the beginning (i.e. since we started signing the zone with DNSSEC). Best regards, Janos