# Mozilla Scheduled Downtime – 09/16/2010, 8pm PDT (0300 UTC)

8

We will have a scheduled maintenance window tomorrow night from 8:00pm to 11:00pm PDT. The following changes will take place:

• 8:00pm PDT (0300 UTC) mozilla.org DNSSEC deployment. We’ll be upgrading our nameservers to support DNSSEC and enabling it for the mozilla.org zone. No downtime expected.  UPDATE: We’ve had several reports that the central .org nameservers are already reporting that our zones are supposed to be signed, which causes lookups for mozilla.org to fail because they aren’t.  We’re going to push this out immediately instead of waiting for 8:00pm (current time is 2:25am)  We should have it working within the next hour or so.

Please let me know if you have any reason why we should not proceed with this planned maintenance. As always, we aim to keep downtime to as little as possible, but unexpected complications can arise causing longer downtime periods than expected. All systems should be operational by the end of the maintenance window.

Feel free to comment directly if you see issues past the planned downtime.

## 8 responses

1. ### Michal Žejdlwrote on September 16, 2010 at 12:16 am:

It’s 0714 UTC here and mozilla.org is still not signed.

2. ### Michal Žejdlwrote on September 16, 2010 at 12:31 am:

Sorry, I missed today/tomorrow. Does it mean that I can not use mozilla servers until 9/17/2010 0600 UTC?

mozilla.org. 86400 IN RRSIG DS 7 2 86400 20100929214601 20100915204601 37812 org.

3. ### justdavewrote on September 16, 2010 at 1:31 am:

No, it should still work fine until then. End users shouldn’t really notice anything at this point, the notification is a “just in case” in case something goes wrong when we deploy it and everything breaks. But if all goes well, nobody will notice. (Except the domains will be signed)

4. ### Michal Žejdlwrote on September 16, 2010 at 2:05 am:

Our DNSSEC validating recursive name server claims that

validating @0x2aaab4029f90: mozilla.org SOA: got insecure response; parent indicates it should be secure

and returns no A record.

.org have RRSIG but ns[123].mozilla.org are not signed which is IMO bad.

5. ### justdavewrote on September 16, 2010 at 2:20 am:

We’re going to go ahead and try to push this out now. Apparently our key made it to .org before we got our end in, so now .org is saying we’re supposed to be signed. So I guess we need to be.

6. ### justdavewrote on September 16, 2010 at 4:45 am:

Should be working now! woot

7. ### Michal Žejdlwrote on September 16, 2010 at 5:04 am:

yes, it’s working again

unfortunately DNSSEC Validator add-on still shows mozilla.org as unsecured, probably due to CNAME pointing to .com and .net

8. ### justdavewrote on September 16, 2010 at 6:17 am:

yeah, someone needs to kick those registries and get them to sign their roots.