opendnssec.org DNSSEC Outage: 2015-01-25 to 2015-01-26

Updated: January 26, 2015

Overview

This page gives some details on the opendnssec.org DNSSEC outage from January 25 to January 26, 2015. The outage lasted over 12 hours.

Timeline / DNSViz

Verisign's DNSSEC Debugger

Here's a screenshot I took on January 25, 2015, of the DNSSEC Debugger output:

January 25, 2015 opendnssec.org DNSSEC outage

OpenDNS vs. Google Public DNS

While Google Public DNS supports DNSSEC, OpenDNS supports the superior DNSCurve, which is (among other advantages) immune to DNSSEC failures. During this outage, Google failed to resolve names under opendnssec.org while OpenDNS worked normally.

With OpenDNS, queries succeed:

$ dig www.opendnssec.org. @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> www.opendnssec.org. @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48064
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.opendnssec.org. IN A

;; ANSWER SECTION:
www.opendnssec.org. 58846 IN A 185.49.141.14

;; Query time: 14 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Jan 25 19:58:01 2015
;; MSG SIZE rcvd: 52


With Google Public DNS, queries fail:

$ dig www.opendnssec.org. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> www.opendnssec.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48391
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.opendnssec.org. IN A

;; Query time: 496 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jan 25 19:58:12 2015
;; MSG SIZE rcvd: 36

dnscheck

dnscheck.iis.se archived a DNSSEC outage at 2015-01-25 20:01:45 (requires javascript).

dnscheck.labs.nic.cz archived a DNSSEC outage at 2015-01-25 20:03:17 (requires javascript).

Logfile examples