On 22. 05. 20 14:21, Anand Buddhdev wrote:
Dear colleagues,
Yesterday afternoon (21 May 2020), our DNSSEC signer rolled the Zone Signing Keys (ZSKs) of all the zones we operate. Unfortunately, a bug in the signer caused it to withdraw the old ZSKs soon after the new keys began signing the zones.
Validating resolvers may have experienced some failures if they had cached signatures made by the old ZSKs.
We apologise for any operational problems this may have caused. We are looking at the issue with the developers of our Knot DNS signer to prevent such an occurrence in the future.
Knot DNS 2.9.5 with fix for this particular problem was released and we encourage all users to upgrade. Full release announcement: https://lists.nic.cz/pipermail/knot-dns-users/2020-May/001815.html The bug sometimes caused automatic key roll-overs to be finished too early, leading to temporary DNSSEC validation failures. More detailed problem description + workaround: https://lists.nic.cz/pipermail/knot-dns-users/2020-May/001813.html We apologize to everyone affected. -- Petr Špaček @ CZ.NIC