Tell HN: Silent Netcup Domain Registrar DNSSEC Failure
Netcup (a European registrar) has had issues with parts of their DNSSEC infrastructure, leading to many domains advertised DS records not matching Netcups DNSSEC keys.
You can verify this by grabbing the DS records for one of the affected domains (pikz.cc):
> dig @1.1.1.1 pikz.cc DS +short
33487 8 2 4AF88BD043D909E290E2CC69626E619CC4BC54F98469042AB696027F DB981B8E
> dig @root-dns.netcup.net pikz.cc DNSKEY +multiline
<snip>
;; ANSWER SECTION:
pikz.cc. 86400 IN DNSKEY 256 3 8 (
<snip>
) ; ZSK; alg = RSASHA256 ; key id = 51649
pikz.cc. 86400 IN DNSKEY 257 3 8 (
<snip>
) ; KSK; alg = RSASHA256 ; key id = 37505
I noticed this issue on Saturday, and have contacted support three times. I received an "issue fixed, boss" on Monday, but issues have persisted.
The worst part is that this only shows up on DNS servers implementing DNSSEC, which apparently my uptime monitor does not use, so I never got a warning except for a dip in traffic and a "domain unreachable" error in my browser.
Google (8.8.8.8) and Cloudlflare (1.1.1.1) notably do enforce DNSSEC, so the pages are down when using their services.
No comments yet.