gentoo.org DNSSEC Outage: 2018-06-26

Date: June 26, 2018

Overview

This page gives some details on the gentoo.org DNSSEC outage on June 26, 2018. Gentoo is a major Linux distribution.

Timeline / DNSViz

• 2018-06-26 19:27:10 UTC — Bogus DNSSEC delegation
• 2018-06-26 19:27:19 UTC — Bogus DNSSEC delegation
• 2018-06-26 19:28:06 UTC — Bogus DNSSEC delegation
• 2018-06-26 20:17:41 UTC — DNSSEC outage over

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from June 18, 2018.

DNS-OARC Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC. With DNSSEC, DNS queries result in SERVFAIL:

$ dig +dnssec a www.gentoo.org. @184.105.193.74

; <<>> DiG 9.4.2-P2 <<>> +dnssec a www.gentoo.org. @184.105.193.74
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49188
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.gentoo.org. IN A

;; Query time: 368 msec
;; SERVER: 184.105.193.74#53(184.105.193.74)
;; WHEN: Tue Jun 26 19:26:58 2018
;; MSG SIZE rcvd: 43

---

You have to disable DNSSEC to make DNS queries work:

$ dig +cd a www.gentoo.org. @184.105.193.74

; <<>> DiG 9.4.2-P2 <<>> +cd a www.gentoo.org. @184.105.193.74
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37260
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4

;; QUESTION SECTION:
;www.gentoo.org. IN A

;; ANSWER SECTION:
www.gentoo.org. 1799 IN CNAME www-bytemark-v4v6.gentoo.org.
www-bytemark-v4v6.gentoo.org. 900 IN A 89.16.167.134

;; AUTHORITY SECTION:
gentoo.org. 86400 IN NS ns1.gentoo.org.
gentoo.org. 86400 IN NS ns2.gentoo.org.
gentoo.org. 86400 IN NS ns3.gentoo.org.

;; ADDITIONAL SECTION:
ns1.gentoo.org. 900 IN AAAA 2001:470:ea4a:1:225:90ff:fe02:16e5
ns1.gentoo.org. 3600 IN A 140.211.166.189
ns2.gentoo.org. 60 IN A 194.116.76.134
ns3.gentoo.org. 3600 IN A 208.116.51.2

;; Query time: 51 msec
;; SERVER: 184.105.193.74#53(184.105.193.74)
;; WHEN: Tue Jun 26 19:26:58 2018
;; MSG SIZE rcvd: 210

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

;; Domain: gentoo.org.
;; Signature ok but no chain to a trusted key or ds record
[S] gentoo.org. 30 IN DNSKEY 256 3 5 ;{id = 52980 (zsk), size = 1280b}
gentoo.org. 30 IN DNSKEY 257 3 5 ;{id = 46873 (ksk), size = 1280b}
[S] gentoo.org. 900 IN A 89.16.167.134
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

• [1530041208] unbound[81958:0] info: validation failure <www.gentoo.org. A IN>: no keys have a DS with algorithm RSASHA1 from 194.116.76.134 for key gentoo.org. while building chain of trust
• [1530041314] unbound[15924:0] info: validation failure <gentoo.org. A IN>: no keys have a DS with algorithm RSASHA1 from 194.116.76.134 for key gentoo.org. while building chain of trust
• [1530041965] unbound[81958:0] info: validation failure <www.gentoo.org. A IN>: no keys have a DS with algorithm RSASHA1 from 208.116.51.2 for key gentoo.org. while building chain of trust
• [1530041978] unbound[15924:0] info: validation failure <gentoo.org. A IN>: no keys have a DS with algorithm RSASHA1 from 194.116.76.134 for key gentoo.org. while building chain of trust