Material updated 1.02.2024 at 16:03
The Ministry of Digital Development has informed about the progress of work to restore access to sites in the RU/РФ zone.
The technical problem related to the global DNSSEC infrastructure, which caused the unavailability of sites in the .RU zone, has been resolved. Malfunctions in the operation of DNS may still be observed for some time, while the updated data is distributed across the domain name system. We will continue to keep you informed of the situation.
On Tuesday, January 30, a global failure of the Russian Internet occurred: dozens of sites and applications "went down" - from Yandex to "Gosuslugi". All of them are united by the use of DNSSEC - a protocol that is responsible for the secure redirection of addresses upon request. This is a technology that protects against an attacker spoofing a response from a DNS server and using digital signatures of domain zones. In other words, it protects any site from cyberattacks, and the user from going to a fraudulent site instead of the original site.
The reasons for the technical problem have not yet been named.
Added:
The Coordination Center for .RU/.РФ domains explained how DNS resolution errors occurred for domains hosted in the .RU zone, which caused a failure during updates to the security extension key of the domain name system (DNSSEC), and part of the .RU zone became unavailable to a number of Internet users.
The resulting key collision, the causes of which are currently being investigated by specialists from the Technical Center of the Internet (TCI) and MSK-IX, led to the temporary unavailability of the .RU zone for some Internet users.
After the failure was detected, the updated keys were revoked, and the operability of the .RU zone was fully restored, which took about two hours, including the distribution of data across the DNS system. This was made possible thanks to the coordinated work of specialists to eliminate the technical failure, which ultimately made it possible to quickly restore the operability of the .RU zone in full with DNSSEC validation.
The incident is currently under investigation, but it is already clear that the main cause of the failure was the imperfection of the software used to create encryption keys.
The CC noted that, like any other technological solution, DNSSEC requires constant improvement. However, in the event of a failure, it ensured the security of network users, as intended - "the operation of DNS servers that did not confirm the authenticity of their response to domain name resolution requests was blocked in a timely manner".
Experts emphasized that for subscribers of providers connected to the National Domain Name System (NSDI), the failure was almost незаметен: it fully retained its operability. However, some providers were unable to switch to it even after the distribution of the order from the Monitoring and Control Center of the Public Communication Network (TsMU SSOP GRChTs), and they only succeeded after the restoration of the normal operation of the RU zone.