Latest news of the domain name industry

Recent Posts

DNSSEC claims another victim as entire TLD disappears

Kevin Murphy, March 9, 2022, 15:09:13 (UTC), Domain Tech

A country’s top-level domain disappeared from the internet for many people yesterday, apparently due to a DNSSEC key rollover gone wrong.

All domains in Fiji’s ccTLD, .fj, stopped resolving for anyone behind a strict DNSSEC resolver in the early hours of the morning UTC, afternoon local time, and stayed down for over 12 hours.

Some domains may still be affected due to caching, according to the registry and others.

The University of the South Pacific, which runs the domain, said that it had to contact ICANN’s IANA people to get the problem fixed, which took a while because it had to wait for IANA’s US-based support desk to wake up.

IANA head Kim Davies said that in fact its support runs 24/7 and in this case IANA took Fiji’s call at 2.47am local time.

Analyses on mailing lists and by Cloudflare immediately pointed to a misconfiguration in the country’s DNSSEC.

It seems Fiji rolled one of its keys for the first time and messed it up, meaning its zone was signed with a non-existent key.

Resolvers that implement DNSSEC strictly view such misconfigurations as a potential attack and nix the entire affected zone.

It happens surprisingly often, though not usually at the TLD level. That said, a similar problem hit thousands of Sweden’s .se domains, despite the registry having a decade’s more DNSSEC experience than Fiji, last month.

Domain Incite had a similar problem recently when its registrar carried on publishing DNSSEC information for the domain long after I’d stopped paying for it.

UPDATE: This post was updated with comment from IANA.

Tagged: , , , ,

Comments (4)

  1. Kim Davies says:

    IANA operates a 24×7 call center for emergency change requests like these. In this instance we were contacted at 2:47am our local time to notify us of the emergency and we immediately started working on the request. There wasn’t any delay caused by a need to wait for our regular working hours.

  2. Garth Miller says:

    I suspect the delay in resolution may have resulted from a reliance on, and expectation that the rmz portal was 24/7. Once the emergency phone number was provided to the TLD manager and IANA techs contacted directly by voice I am reliably informed the issue was swiftly resolved.

  3. Prince Andrew Livingstone Zutah says:

    Probably, the delay in resolving was due to them trying to explore ways of resolving the problem finally decided to engage IANA when they could make any headway.

Add Your Comment