Last Comment Bug 872818 - mozilla.org SOA mismatch, DNSSEC signer refusing to sign SOA 2013051500
: mozilla.org SOA mismatch, DNSSEC signer refusing to sign SOA 2013051500
Status: RESOLVED FIXED
:
Product: Infrastructure & Operations
Classification: Other
Component: Infrastructure: Other (show other bugs)
: other
: All All
: -- normal (vote)
: ---
Assigned To: Brian Hourigan [:digi]
: Justin Dow [:jabba]
Mentors:
Depends on: 872831 872832 872884 872885 872927 873129
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-15 16:16 PDT by Dumitru Gherman [:dumitru]
Modified: 2013-06-18 12:29 PDT (History)
2 users (show)
See Also:
Due Date:
QA Whiteboard:
Iteration: ---
Points: ---
Cab Review: ServiceNow Change Request (use flag)


Attachments

Description Dumitru Gherman [:dumitru] 2013-05-15 16:16:07 PDT
15:32 < nagios-scl3> Wed 15:32:38 PDT [587] ns1a.dmz.scl3.mozilla.com:DNS SOA - mozilla.org is CRITICAL: CRITICAL: Serials for zone mozilla.org differ. Dig shows: 2013051402. Local file shows 2013051500. (http://m.allizom.org/DNS+SOA+-+mozilla.org)

This is true. Running the update named script by hand doesn't return any errors. I reloaded rndc but no change.

limed and atoll were notified and looking at this.
Comment 1 Richard Soderberg [:atoll] 2013-05-15 21:17:09 PDT
The SOA mismatch for mozilla.org occurred when the DNSSEC signing process refused to sign the zone. We traced that to an expired ZSK ("zone signing key"), which has been renewed. DNSSEC signing has resumed, and today's mozilla.org updates are now published as expected.
Comment 2 Richard Soderberg [:atoll] 2013-05-15 21:33:15 PDT
Bug 872832 was the root cause of the SOA issue, and is now resolved.

Note You need to log in before you can comment on or make changes to this bug.