[exim-announce] exim.org DNS snafu today

Top Page

Reply to this message
Author: Phil Pennock
Date:  
To: exim-announce
Subject: [exim-announce] exim.org DNS snafu today
Folks, I messed up, sorry. For another several hours there may be
issues resolving exim.org hostnames, if you use a validating resolver.

Our previous DNS hoster set long TTLs on the NS records for exim.org and
I didn't notice, only looking at the TTLs for the records which we set.

We cut over to new DNS hosting, with DNSSEC. That part is fine.
I updated the registry records for exim.org to add DS glue. That was a
mistake.

For as long as resolver caches still had the old NS records, a
validating resolver asking for DS records would result in records saying
"zone is signed!" but with invalid unsigned NS records in cache,
breaking all resolution. Because DS records are authoritative in the
parent of the zone cut, and are issued from org. nameservers without an
authority section, the caching nameserver has no chance to replace the
NS.

For now, I've deleted the DS records for exim.org from the registry.
If your cache already has them but has the old NS records, there's not
much I can do now to clean up my mistake. Sorry. Flushing the zone
will work, if critical.

(If you had the DS and the new NS, then you're fine, the DS should stay
cached and will validated, and when it expires the zone just switches to
appearing to be unsigned, so resolution still works).

Tomorrow afternoon, we'll re-enable the DS registration.

Not a flawless deployment after all. :-(
-Phil