army.mil DNSSEC Outage: 2020-10-10

Date: October 10, 2020

Overview

This page gives some details on the army.mil DNSSEC outage on October 10, 2020.

Timeline / DNSViz

• 2020-10-09 20:01:58 UTC — first personally observed army.mil DNSSEC failure
• 2020-10-10 02:35:56 UTC — Bogus DNSSEC
• 2020-10-10 10:51:03 UTC — last personally observed army.mil DNSSEC failure

Since DNSViz has lots its archives multiple times, here's a 3rd party copy:

• archive.is copy of army.mil

And here's a screenshot, just in case:

DNSSEC Debugger

Here's a screenshot of my web browser's output from October 10, 2020:

Thanks to archive.is there's also a copy.

Zonemaster

Here are some Zonemaster archives of this outage.

• zonemaster.net (archive.is copy)
• zonemaster.iis.se (archive.is copy)
• zonemaster.labs.nic.cz (archive.is copy)

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: army.mil.
[B] army.mil. 19324 IN DNSKEY 256 3 8 ;{id = 41133 (zsk), size = 2048b}
army.mil. 19324 IN DNSKEY 256 3 8 ;{id = 49608 (zsk), size = 2048b}
army.mil. 19324 IN DNSKEY 257 3 8 ;{id = 62140 (ksk), size = 2048b}
army.mil. 19324 IN DNSKEY 256 3 8 ;{id = 61578 (zsk), size = 2048b}
army.mil. 19324 IN DNSKEY 257 3 8 ;{id = 30256 (ksk), size = 2048b}
[B] army.mil. 2168 IN A 147.241.58.6
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

These logs come from different servers in different geographical regions:

• [1602273718] unbound[13300:0] info: validation failure <www.army.mil. A IN>: signature crypto failed from 192.82.113.7 for key army.mil. while building chain of trust
• [1602277067] unbound[7617:0] info: validation failure <www.army.mil. A IN>: signature crypto failed from 140.153.43.44 for key army.mil. while building chain of trust
• [1602312130] unbound[2146:0] info: validation failure <army.mil. A IN>: signature crypto failed from 140.153.43.44 for key army.mil. while building chain of trust
• [1602317070] unbound[13300:0] info: validation failure <army.mil. A IN>: signature crypto failed from 140.153.43.44 for key army.mil. while building chain of trust
• [1602323970] unbound[13300:0] info: validation failure <www.army.mil. A IN>: signature crypto failed from 140.153.43.44 for key army.mil. while building chain of trust
• [1602327063] unbound[2146:0] info: validation failure <www.army.mil. A IN>: signature crypto failed from 140.153.43.44 for key army.mil. while building chain of trust