This is an official announcement from SIDN also published here.
In the course of Sunday 28 October, an error occurred during the publication of a new ZSK (with key tag 20331). Because of the error, the new ZSK was not published in the DNS when it should have been. However, the software used by SIDN (OpenDNSSEC) continued to work on the basis that the ZSK had been published successfully.
As a result, the pre-publication time of the new ZSK was too short. RRSIGs created using the new ZSK consequently appeared in the .nl zone before expiry of the TTL of the old DNSKEY RRset, which was consequently used by validating resolvers, resulting in DNSSEC validation errors. Validation errors began occurring at about 20:45.
DNSSEC validating users.
Following expiry of the TTL (after a maximum of 2 hours) or cache clearance (e.g. when the resolver was restarted), the correct key material was used and validation was successful.
Causes: SIDN has investigated the coincidence of circumstances and established that the following factors played a role:
- An error (crash) in OpenDNSSEC, resulting in non-publication of the zone file
- A discrepancy between the situation assumed to exist by OpenDNSSEC and the actual situation in the DNS, resulting in the new ZSK having an inappropriately short pre-publication time
SIDN will take steps to prevent recurrence.