Re: [DNSOP] How Slack didn't turn on DNSSEC

Mark Andrews <> Wed, 01 December 2021 08:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 390353A0803 for <>; Wed, 1 Dec 2021 00:36:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=TXkuphlT; dkim=pass (1024-bit key) header.b=bG3aJH7W
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Bagu5l4766Gc for <>; Wed, 1 Dec 2021 00:35:58 -0800 (PST)
Received: from ( [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E495C3A0801 for <>; Wed, 1 Dec 2021 00:35:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPS id D4F88433F01; Wed, 1 Dec 2021 08:35:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=ostpay; t=1638347755; bh=r0YraFwfAKVHkEiVpiwGfdD9UX5KFQk6HuCsHixHzMk=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=TXkuphlTI1mJVDlJjLI8njDxhLMNL8MEgvZPBaoa3H5rf9RixxlkXDqLb4Bke6iBk 9wGRICvSVdwBR9WJCsVa4lZKYn2Gb8CVSjTYIVydehs998I6Qnm7osvnn2xLpBnIvu RZ0utlSVnequyvyGO9rcY+LeaDbBeTdBBMj7XD1g=
Received: from (localhost.localdomain []) by (Postfix) with ESMTPS id C2A32F255E1; Wed, 1 Dec 2021 08:35:55 +0000 (UTC)
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id 97C9EF255E3; Wed, 1 Dec 2021 08:35:55 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 97C9EF255E3
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1638347755; bh=gK3OCsIQkTRfzk5HTnK4DqS4VW+qXZP0bYSLjZ9LylQ=; h=From:Mime-Version:Date:Message-Id:To; b=bG3aJH7WYe/ylT6aWtKICq9qaMu/X59zgkENj5yYYnnQGVYs6qNvbZNasLRr9gDvW r96oXlOW1pxUO8N5H0TZ0AXvANu1yS+g3dHevtGK5BP/CIfKAFnHEo5R3Izww2tGem Ppvg1xpJSdYcREs1p6I4SSF+Oh8vTNnY01Nm9J+g=
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id Eu2VyzaH6DyA; Wed, 1 Dec 2021 08:35:55 +0000 (UTC)
Received: from (unknown []) by (Postfix) with ESMTPSA id 33A6BF255E1; Wed, 1 Dec 2021 08:35:55 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <>
Mime-Version: 1.0 (1.0)
Date: Wed, 01 Dec 2021 19:35:52 +1100
Message-Id: <>
References: <>
Cc:, John Levine <>
In-Reply-To: <>
To: Philip Homburg <>
X-Mailer: iPhone Mail (19B74)
Archived-At: <>
Subject: Re: [DNSOP] How Slack didn't turn on DNSSEC
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Dec 2021 08:36:04 -0000

Also stop hiding this breakage. Knot and unbound ignore the NSEC records which trigger this when synthesising.  All it does is push the problem down the road and makes it harder for others to do proper synthesis based on the records returned. 

Mark Andrews

> On 1 Dec 2021, at 18:36, Philip Homburg <> wrote:
>> It is clear from the blog post that this is a fairly sophisticated
>> group of ops people, who had a reasonable test plan, a bunch of test
>> points set up in dnsviz and so forth.  Neither of these bugs seem
>> very exotic, and could have been caught by routine tests.
> It not clear to whether or not they did ZSK and KSK key rollovers
> on test zones and on minor zones. If they didn't, thats a good way to
> get in trouble later on.
> The main lesson learned from this incident seems to be to always create
> a test zone with content identical to that of the main zone and fully
> test that zone.
> A common lesson, also not mentioned, is to have low TTLs for stuff you
> control. It would not have helped with the DS record. But the discussion
> about the ZSK being lost would have been helped with a low TTL in the DNSKEY
> RR set.
> _______________________________________________
> DNSOP mailing list