Due to a bug in new software, all .se domain names have been unreachable last last night, and can in some cases continue to be unreachable. The problem started when the .SE registry published an updated list of nameservers. It’s an error DNS administrators around the world make on a daily basis, but it’s been a long time since this happened to an entire top-level domain such as .se.

Swedish flag

In a normal “zone file”, all entries that don’t end with a dot (.) get the domain name appended. So if you happen to be editing the DNS for, say, the domain name securityandthe.net you can use the shorthand “mail” to refer to the machine names “mail.securityandthe.net“. While very convenient, it can also cause problems if the trailing dot is forgotten. If you happen to use the entire server name, “mail.securityandthe.net“, in that same zone file the DNS server will still add the main domain, turning the server name into “mail.securityandthe.net.securityandthe.net“.

That’s exactly what happened at the .se registry; this is what the zone file for .se that should have listed the DNS servers for .se contained:

; <<>> DiG 9.4.2-P2 <<>> @192.36.133.107 se ns +norec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18046
;; flags: qr aa; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;se.                            IN      NS
;; ANSWER SECTION:
se.                     172800  IN      NS      d.ns.se.se.
se.                     172800  IN      NS      e.ns.se.se.
se.                     172800  IN      NS      f.ns.se.se.
se.                     172800  IN      NS      g.ns.se.se.
se.                     172800  IN      NS      h.ns.se.se.
se.                     172800  IN      NS      i.ns.se.se.
se.                     172800  IN      NS      j.ns.se.se.
se.                     172800  IN      NS      a.ns.se.se.
se.                     172800  IN      NS      b.ns.se.se.
se.                     172800  IN      NS      c.ns.se.se.
; <<>> DiG 9.4.2-P2 <<>> @192.36.133.107 se ns +norec
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18046
;; flags: qr aa; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;se.                            IN      NS

;; ANSWER SECTION:
se.                     172800  IN      NS      d.ns.se.se.
se.                     172800  IN      NS      e.ns.se.se.
se.                     172800  IN      NS      f.ns.se.se.
se.                     172800  IN      NS      g.ns.se.se.
se.                     172800  IN      NS      h.ns.se.se.
se.                     172800  IN      NS      i.ns.se.se.
se.                     172800  IN      NS      j.ns.se.se.
se.                     172800  IN      NS      a.ns.se.se.
se.                     172800  IN      NS      b.ns.se.se.
se.                     172800  IN      NS      c.ns.se.se.

All nameservers had an extra .se added; because [a-j].ns.se.se are non-existing hosts, all domains under the .se domain stopped working. The error was spotted and corrected within an hour for everyone not using DNSSec; because they forgot to re-sign the updated zone file servers using DNSSec refused the answers from the .se nameservers until a correctly signed version of the .se zone was pushed out over three hours after the start of this issue.

The .se registry has posted their own description of the error on their website in which they say an internal investigation into the cause of this error was started. My guess is that the conclusion will be that their testing procedures will need to be revised!