APNIC DNSSEC Outage: 2016-03-15

Updated: March 16, 2016

Overview

This page gives some details on the huge APNIC DNSSEC outage on March 15, 2016. It broke DNSSEC service for 48 in-addr.arpa domains (normal DNS and DNSCurve were unaffected).

APNIC Service Announcement

APNIC released this statement which explained how it happened.

Autonomous Systems Affected

Using Team Cymru's IP to ASN bulk service, all possible netblocks from the list of affected domains below were checked on March 18, and a total of 7381 unique ASNs were found. So this DNSSEC outage affected approximately 7381 autonomous systems, a new record for in-addr.arpa DNSSEC outages.

Affected APNIC in-addr.arpa domains

Although APNIC states that 222.in-addr.arpa failed, IANIX didn't see failures for this domain, and neither did DNSViz. It is therefore not included in the following list:

dns-operations list

This DNSSEC outage was discussed in the thread [dns-operations] APNIC reverse zone are broken.

apnic-talk list

The outage was acknowledged in the thread [apnic-talk] Update on APNIC IPv4 reverse DNS zones validation.

It was also discussed in [apnic-talk] APNIC reverse DNS zones validation.

Twitter

The @apnic Twitter account discussed the DNSSEC outage here and here.