from Hacker News

Russian TLD .RU fails DNSSEC validation

by ainar-g on 1/30/24, 4:48 PM with 22 comments

  • by assusdan on 1/30/24, 5:02 PM

    That was scary. Fixed at about 16:55 UTC, total about 1hr of downtime.

  • by dgrin91 on 1/30/24, 5:09 PM

    I'm not familiar with DNSSEC. What sis the impact of this? Do web pages fail to load or is it just some security warning? Also was this just someone failing to update a cert in time or is this some sort of hack?

  • by woodruffw on 1/30/24, 5:30 PM

    As a side question: am I correct in reading this to imply that the two "leaf" keys here are both RSA 1024 keys? RSA 1024 has been considered within nation-state capabilities for well over a decade, and NIST has explicitly discouraged them for DNSSEC for close to a decade[1].

    I can understand not using larger RSA key sizes for framing reasons, but what is stopping the DNSSEC ecosystem from using ECC?

    [1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S...

  • by Chalbroth on 1/30/24, 6:00 PM

    DNSSEC failure is just the result of many of the nameservers serving .ru and other tlds not responding. This is especially observable if you are IPv4 only.

  • by arcza on 1/30/24, 5:28 PM

    Poor blog's getting the hug of death :)

  • by krunck on 1/30/24, 5:00 PM

    I saw this start at 10:14:29 CST.