DNSSEC claims another victim as entire TLD disappears
A country’s top-level domain disappeared from the internet for many people yesterday, apparently due to a DNSSEC key rollover gone wrong.
All domains in Fiji’s ccTLD, .fj, stopped resolving for anyone behind a strict DNSSEC resolver in the early hours of the morning UTC, afternoon local time, and stayed down for over 12 hours.
Some domains may still be affected due to caching, according to the registry and others.
The University of the South Pacific, which runs the domain, said that it had to contact ICANN’s IANA people to get the problem fixed, which took a while because it had to wait for IANA’s US-based support desk to wake up.
IANA head Kim Davies said that in fact its support runs 24/7 and in this case IANA took Fiji’s call at 2.47am local time.
Analyses on mailing lists and by Cloudflare immediately pointed to a misconfiguration in the country’s DNSSEC.
It seems Fiji rolled one of its keys for the first time and messed it up, meaning its zone was signed with a non-existent key.
Resolvers that implement DNSSEC strictly view such misconfigurations as a potential attack and nix the entire affected zone.
It happens surprisingly often, though not usually at the TLD level. That said, a similar problem hit thousands of Sweden’s .se domains, despite the registry having a decade’s more DNSSEC experience than Fiji, last month.
Domain Incite had a similar problem recently when its registrar carried on publishing DNSSEC information for the domain long after I’d stopped paying for it.
UPDATE: This post was updated with comment from IANA.
Recent Comments