opendnssec.org DNSSEC Outage: 2015-01-25 to 2015-01-26
Updated: January 26, 2015
Overview
This page gives some details on the opendnssec.org DNSSEC outage from January 25 to January 26, 2015. The outage lasted over 12 hours.
Timeline / DNSViz
- 2015-01-25 20:00:28 UTC — RRSIGs expire
- 2015-01-26 01:57:14 UTC — expired RRSIGs
- 2015-01-26 02:18:20 UTC — expired RRSIGs
- 2015-01-26 03:29:49 UTC — expired RRSIGs
- 2015-01-26 04:01:28 UTC — expired RRSIGs
- 2015-01-26 05:26:00 UTC — expired RRSIGs
- 2015-01-26 06:53:11 UTC — expired RRSIGs
- 2015-01-26 08:02:56 UTC — expired RRSIGs
- 2015-01-26 08:08:34 UTC — expired RRSIGs
- 2015-01-26 08:21:46 UTC — expired RRSIGs
- 2015-01-26 08:39:11 UTC — approximate end of outage
- 2015-01-26 08:42:59 UTC — opendnssec.org no longer broken by DNSSEC
Verisign's DNSSEC Debugger
Here's a screenshot I took on January 25, 2015, of the DNSSEC Debugger output:
OpenDNS vs. Google Public DNS
While Google Public DNS supports DNSSEC, OpenDNS supports the superior DNSCurve, which is (among other advantages) immune to DNSSEC failures. During this outage, Google failed to resolve names under opendnssec.org while OpenDNS worked normally.
With OpenDNS, queries succeed:
$ dig www.opendnssec.org. @resolver1.opendns.com
; <<>> DiG 9.4.2-P2 <<>> www.opendnssec.org. @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48064
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.opendnssec.org. IN A
;; ANSWER SECTION:
www.opendnssec.org. 58846 IN A 185.49.141.14
;; Query time: 14 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Jan 25 19:58:01 2015
;; MSG SIZE rcvd: 52
With Google Public DNS, queries fail:
$ dig www.opendnssec.org. @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> www.opendnssec.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48391
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.opendnssec.org. IN A
;; Query time: 496 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jan 25 19:58:12 2015
;; MSG SIZE rcvd: 36
dnscheck
dnscheck.iis.se archived a DNSSEC outage at 2015-01-25 20:01:45 (requires javascript).
dnscheck.labs.nic.cz archived a DNSSEC outage at 2015-01-25 20:03:17 (requires javascript).
Logfile examples
- [1422237465] unbound[29476:0] info: validation failure <www.opendnssec.org. A IN>: signature expired from 91.206.174.4 for key opendnssec.org. while building chain of trust
- [1422237921] unbound[29476:0] info: validation failure <opendnssec.org. NS IN>: signature expired from 91.123.201.115 for key opendnssec.org. while building chain of trust
- [1422238576] unbound[29476:0] info: validation failure <opendnssec.org. MX IN>: signature expired from 192.36.115.53 for key opendnssec.org. while building chain of trust
- [1422240751] unbound[29476:0] info: validation failure <opendnssec.org. A IN>: signature expired from 192.36.115.53 for key opendnssec.org. while building chain of trust
- [1422241173] unbound[29476:0] info: validation failure <www.opendnssec.org. AAAA IN>: signature expired from 91.206.174.4 for key opendnssec.org. while building chain of trust
- [1422261251] unbound[29476:0] info: validation failure <opendnssec.org. NS IN>: signature expired from 91.206.174.4 for key opendnssec.org. while building chain of trust