ip6.arpa DNSSEC Outage: 2017-10-24
Date: October 24, 2017
Overview
This page gives some details on the ip6.arpa DNSSEC outage on October 24, 2017.
Timeline / DNSViz
- 2017-10-24 21:04:28 UTC — first personally observed ip6.arpa DNSSEC failure
- 2017-10-24 21:04:55 UTC — Bogus DNSSEC delegation
- 2017-10-24 21:27:34 UTC — last personally observed ip6.arpa DNSSEC failure
- 2017-10-25 01:21:59 UTC — DNSSEC outage over
Zonemaster
- zonemaster.net archived "Delegation from parent to child is not properly signed (no_dnskey; no_dnskey; no_dnskey)."
- zonemaster.fr archived "Delegation from parent to child is not properly signed (no_dnskey; no_dnskey; no_dnskey)."
DNS OARC: with and without DNSSEC
DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.
$ dig +dnssec ns ip6.arpa. @184.105.193.74
; <<>> DiG 9.4.2-P2 <<>> +dnssec ns ip6.arpa. @184.105.193.74
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29848
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ip6.arpa. IN NS
;; Query time: 1662 msec
;; SERVER: 184.105.193.74#53(184.105.193.74)
;; WHEN: Tue Oct 24 21:04:41 2017
;; MSG SIZE rcvd: 37
You have to disable DNSSEC to make DNS queries work:
$ dig +cd ns ip6.arpa. @184.105.193.74
; <<>> DiG 9.4.2-P2 <<>> +cd ns ip6.arpa. @184.105.193.74
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29204
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ip6.arpa. IN NS
;; ANSWER SECTION:
ip6.arpa. 3598 IN NS a.ip6-servers.arpa.
ip6.arpa. 3598 IN NS b.ip6-servers.arpa.
ip6.arpa. 3598 IN NS c.ip6-servers.arpa.
ip6.arpa. 3598 IN NS d.ip6-servers.arpa.
ip6.arpa. 3598 IN NS e.ip6-servers.arpa.
ip6.arpa. 3598 IN NS f.ip6-servers.arpa.
;; Query time: 482 msec
;; SERVER: 184.105.193.74#53(184.105.193.74)
;; WHEN: Tue Oct 24 21:04:42 2017
;; MSG SIZE rcvd: 134
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):
;; Domain: ip6.arpa.
;; Signature ok but no chain to a trusted key or ds record
[S] ip6.arpa. 3600 IN DNSKEY 256 3 8 ;{id = 19561 (zsk), size = 1024b}
ip6.arpa. 3600 IN DNSKEY 257 3 8 ;{id = 52682 (ksk), size = 2048b}
[S] Existence denied: ip6.arpa. A
;;[S] self sig OK; [B] bogus; [T] trusted
Logfile examples
- [1508879068] unbound[40658:0] info: validation failure <ip6.arpa. NS IN>: no keys have a DS with algorithm RSASHA256 from 196.216.169.11 for key ip6.arpa. while building chain of trust
- [1508880454] unbound[40658:0] info: validation failure <ip6.arpa. NS IN>: no keys have a DS with algorithm RSASHA256 from 202.12.29.59 for key ip6.arpa. while building chain of trust