Invalid DNS Signatures of Russia's .ru Domain: Incident Discussed and Resolved – BNN Breaking

0
By clicking the button, I accept the Terms of Use of the service and its Privacy Policy, as well as consent to the processing of personal data
Don’t have an account? Signup
Follow Us
Russia’s Domain Name System (DNS), the .ru, recently witnessed an incident that has sparked discussions on the DNS-OARC mailing list. The problem was identified as invalid signatures produced by a Zone Signing Key (ZSK) with the identifier 52263. Despite standard DNSSEC issues where the Delegation Signer (DS) record and the DNSKEY record are out of sync, this case saw both records maintaining consistency throughout the incident.
Two main hypotheses have emerged regarding the root cause of the problem. The first points to something peculiar about this specific key that triggered the signature breakdown. This, however, is considered less likely. The second hypothesis tilts towards a potential glitch in the signing system itself.
Observations revealed that the .ru domain not only reverted to a previous ZSK but also to an earlier zone version. This is indicated by the unchanged SOA serial number (4058856), which had been updating nearly every two hours before the incident. This suggests there might be an ongoing issue with the capacity to sign the zone data.
The incident has been swiftly resolved, and the details are set to be examined in a short talk at the upcoming FOSDEM conference in Brussels. The topic will be addressed either in the DNS devroom or during the lightning talks session. This incident has also sparked questions about the use of ECC in the DNSSEC ecosystem and the migration from RSA to ECDSA in other domain zones. It throws light on the unforgivable use of 1024-bit keys in DNSSEC and the top-down security chain in DNS resolution.
The DNSSEC failure took .ru and .рф domains offline, impacting major websites and platforms in Russia. The national administrator for the .ru and .рф domains confirmed that the DNSSEC failure was rectified after two hours of work. This incident, while resolved, has raised pertinent questions about the global DNSSEC infrastructure and its resilience in the face of technical glitches.

Subscribe to our Newsletter!

Share this article
If you liked this article share it with your friends.
they will thank you later

source

About The Author

admin

See author's posts