Yesterday, January 30, many Internet users encountered DNS resolution errors for domains located in the .RU zone, which were caused by a failure in updating the Domain Name System Security Extensions (DNSSEC) key.
The resulting key collision, the reasons for which are currently being investigated by technical specialists of the Technical Center of Internet (TCI) and MSK-IX, led to the temporary unavailability of the .RU zone for some Internet users.
After the failure was detected, the updated keys were revoked, and the functionality of the .RU zone was fully restored, which took about two hours, including the distribution of data through the DNS system. This was done thanks to the well-coordinated work of specialists in eliminating the technical failure, which ultimately made it possible to quickly restore the functionality of the .RU zone in full with DNSSEC validation.
The investigation into the incident is currently ongoing, but it is already clear that the main cause of the failure was the imperfection of the software used to create the encryption keys. Like any other technology solution, DNSSEC requires improvements over time to correct any operational errors that are discovered. It is worth noting that DNSSEC, as a means of ensuring the security of Internet users, worked as intended: the work of DNS servers that did not confirm the authenticity of their response to domain name resolution requests was promptly blocked.
DNSSEC is a fresh technology by Internet standards, and over 15 years of its application in world practice, more than 200 similar cases have occurred, and over the past three years, more than 20 times, including the temporary shutdown of the .AU domain in September 2023. In March 2022, due to a DNSSEC error, the Fiji national domain .FJ fell off the global network for more than 12 hours. Due to the same error in the DNSSEC settings, at the beginning of 2022, about 8 thousand names in the Swedish national domain .SE were disconnected from the network for several hours, and the .SE registry was the first to implement DNSSEC – back in 2005. As a reminder, the use of DNSSEC when updating the Internet root zone registry is a requirement of IANA, the organization that is responsible for distributing all names and numbers that are used in Internet protocols.
For subscribers of providers connected to the National Domain Name System (NDNS), the failure was almost unnoticeable: NSDI remained fully operational. But some providers were unable to switch to it even after sending out instructions from the «General Radio Frequency Centre» Federal State Unitary Enterprise, and normalized activities only after the normal operation of the RU zone was restored.
About DNSSEC
The DNSSEC (Domain Name System Security Extensions) is a set of DNS protocol extensions that allows you to verify the authenticity of a DNS server response using a digital signature. DNSSEC is used for security purposes to eliminate the possibility of address spoofing both at the level of individual domains and the entire zone and is used for data exchange between registries of top-level domain zones and the Internet root zone registry.
