One of 13 root DNS servers (c.root-servers.net), ensuring the operation of the DNS root zone (the initial link in the domain name resolution chain, which provides information about DNS servers serving first-level domains and keys for their verification using DNSSEC) four days was in a state out of sync with the rest of the root DNS servers. The operation of the root DNS server “C” (192.33.4.12) is ensured by 12 servers located in different countries. All these servers from May 18 to May 22 did not reflect changes to the root zone produced outdated data and were out of sync with the rest of the root DNS infrastructure.
During this period, no changes were made to the root zone, but work was planned to update the DNSEC digital signature for the top-level domain “.gov”, carried out as part of the transition to cryptographic keys based on the ECDSA algorithm. DNSSEC has recently been used to validate the .GOV zone. algorithms 8 (RSA/SHA-256) and 13 (ECDSA P-256/SHA-256), but algorithm 8 remains active. On weekends planned add a DS record for algorithm 13 to the root zone, and then begin the process of deleting the DS record for algorithm 8. A similar replacement planned carry out for the INT domain as well. As a result, DS records for root servers related to support for Algorithm 13 were submitted to IANA, but were not published because the key replacement process was canceled after problems were identified. suspended until the situation with the root server “C” stabilizes.
Advertisement
The operation of the root DNS server “C” is provided by the first-level backbone provider (Tier 1) Cogent Communications, present in 53 countries. A few days before the incident noted problems with access from the Cogent Communications network to 1575 autonomous systems due to the termination of peering with the Indian first-tier provider Tata Communications.
As a reason for stopping receiving updates for the root DNS zone called a failure in the monitoring system responsible for tracking changes. The failure occurred after a routing change unrelated to the operation of DNS servers. Other than the out of sync, those associated with the root DNS server “C” were processing queries as normal. Synchronization was fully restored on May 22 at 19:00 (MSK). Among the possible problems that may arise in the process of long-term desynchronization, the possibility of issuing out-of-date data on the keys used in DNSSEC and the addresses of DNS servers serving first-level domains is noted.
Thanks for reading: