- A technical glitch in one of Afrinic’s authoritative name servers caused expired DNSSEC signatures, disrupting 26 African TLDs, including Madagascar’s .mg. The issue was first reported on 8 November, although it began on 29 October 2024.
- RIPE Atlas probes revealed that only one instance of the anycasted server, identified as s01-ns2.pkl, was serving outdated data. Afrinic took the server offline to resolve the issue, highlighting challenges with monitoring anycast systems.
What happened
At the end of October 2024, a significant technical issue disrupted 26 African Top-Level Domains (TLDs). One of their authoritative name servers, managed by Afrinic, served outdated data, with DNSSEC (Domain Name System Security Extensions) signatures flagged as expired. This issue was first noticed on 8 November, despite originating on 29 October, causing inconsistent DNS resolution experiences for users of the TLD .mg (Madagascar).
Also read: Supreme Court ruling on AFRINIC: New members no rights, elections by June 2025
Also read: Exploring global spectrum management at WRS-24
A deeper analysis revealed that not all servers were affected. Instead, one specific instance of the anycasted name server ns-mg.afrinic.net was running outdated data. Measurements from RIPE Atlas probes showed a clear discrepancy: while most servers reported up-to-date data, a minority still relied on stale information. This server instance, identified by the NSID s01-ns2.pkl, contributed to delays in propagating updates across multiple TLDs.
Afrinic eventually resolved the issue by taking the problematic instance offline. However, the problem raised questions about monitoring and troubleshooting for distributed systems, especially those critical to internet infrastructure.
Why this is important
This incident highlights a key vulnerability in internet infrastructure: servers can appear operational while delivering outdated or incorrect data. For domains using DNSSEC, expired signatures expose users to potential risks, such as failing to resolve valid queries or encountering invalid data responses.
The affected server hosted not only .mg but also 25 other African TLDs, amplifying the scale of the issue. Though Afrinic’s swift action mitigated further damage, the case underscores the need for robust monitoring systems that ensure both uptime and data accuracy.
Moreover, this situation demonstrates the challenges of anycast—a widely used technique that boosts DNS resilience by routing requests to geographically distributed instances. While anycast strengthens DNS robustness, it also complicates problem detection and debugging, as was evident here. Tools like RIPE Atlas prove invaluable for identifying such anomalies, but as this case shows, proactive checks for data freshness remain essential for ensuring seamless DNS operations.
