Mozilla Scheduled Downtime – 09/16/2010, 8pm PDT (0300 UTC)

We will have a scheduled maintenance window tomorrow night from 8:00pm to 11:00pm PDT. The following changes will take place:

  • 8:00pm PDT (0300 UTC) DNSSEC deployment. We’ll be upgrading our nameservers to support DNSSEC and enabling it for the zone. No downtime expected.  UPDATE: We’ve had several reports that the central .org nameservers are already reporting that our zones are supposed to be signed, which causes lookups for to fail because they aren’t.  We’re going to push this out immediately instead of waiting for 8:00pm (current time is 2:25am)  We should have it working within the next hour or so.

Please let me know if you have any reason why we should not proceed with this planned maintenance. As always, we aim to keep downtime to as little as possible, but unexpected complications can arise causing longer downtime periods than expected. All systems should be operational by the end of the maintenance window.

Feel free to comment directly if you see issues past the planned downtime.

8 responses

  1. Michal Žejdl wrote on :

    It’s 0714 UTC here and is still not signed.

  2. Michal Žejdl wrote on :

    Sorry, I missed today/tomorrow. Does it mean that I can not use mozilla servers until 9/17/2010 0600 UTC? 86400 IN RRSIG DS 7 2 86400 20100929214601 20100915204601 37812 org.

  3. justdave wrote on :

    No, it should still work fine until then. End users shouldn’t really notice anything at this point, the notification is a “just in case” in case something goes wrong when we deploy it and everything breaks. But if all goes well, nobody will notice. (Except the domains will be signed)

  4. Michal Žejdl wrote on :

    Our DNSSEC validating recursive name server claims that

    validating @0x2aaab4029f90: SOA: got insecure response; parent indicates it should be secure

    and returns no A record.

    I posted links to Twitter users with the same experience, but these links were removed.

    .org have RRSIG but ns[123] are not signed which is IMO bad.

  5. justdave wrote on :

    We’re going to go ahead and try to push this out now. Apparently our key made it to .org before we got our end in, so now .org is saying we’re supposed to be signed. So I guess we need to be.

  6. justdave wrote on :

    Should be working now! woot

  7. Michal Žejdl wrote on :

    yes, it’s working again

    unfortunately DNSSEC Validator add-on still shows as unsecured, probably due to CNAME pointing to .com and .net

  8. justdave wrote on :

    yeah, someone needs to kick those registries and get them to sign their roots. 🙂