.ci (Côte d'Ivoire / Ivory Coast) DNSSEC Outage: 2023-10-21 to 2023-10-22

Date: October 21, 2023

Overview

This page gives some details on the .ci DNSSEC outage from October 21 to October 22, 2023.

Timeline / DNSViz

• 2023-10-21 07:17:47 UTC — first personally observed .ci/NS DNSSEC failure
• 2023-10-21 07:18:15 UTC — No RRSIGs
• 2023-10-21 07:18:05 UTC — ci/NS No RRSIG etc.
• 2023-10-21 07:20:44 UTC — ci/NS No RRSIG etc.
• 2023-10-21 07:21:31 UTC — ci/NS No RRSIG etc.
• 2023-10-21 07:24:16 UTC — ci/NS No RRSIG etc.
• 2023-10-21 12:06:54 UTC — total DNSSEC outage
• 2023-10-22 00:24:32 UTC — ci/NS No RRSIG etc.
• 2023-10-22 05:14:29 UTC — total DNSSEC outage + new bogus SOA
• 2023-10-22 11:45:34 UTC — DNSSEC outage temporarily fixed
• 2023-10-22 14:55:35 UTC — total DNSSEC outage is back in business

Here's a screenshot:

DNSSEC Debugger

Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from April 4, 2023:

Google DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

$ dig +dnssec ns ci. @8.8.8.8.

; <<>> dig 9.10.8-P1 <<>> +dnssec ns ci. @8.8.8.8.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12704
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ci. IN NS

;; Query time: 44 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Oct 21 07:17:50 UTC 2023
;; MSG SIZE rcvd: 31

---

You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns ci. @8.8.8.8.

; <<>> dig 9.10.8-P1 <<>> +cd ns ci. @8.8.8.8.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49321
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ci. IN NS

;; ANSWER SECTION:
ci. 7200 IN NS ns.nic.ci.
ci. 7200 IN NS ns-ci.afrinic.net.
ci. 7200 IN NS ci.hosting.nic.fr.
ci. 7200 IN NS phloem.uoregon.edu.
ci. 7200 IN NS any.nic.ci.

;; Query time: 22 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Oct 21 07:17:50 UTC 2023
;; MSG SIZE rcvd: 164

Zonemaster

Please note that Zonemaster requires javascript to display webpage text.

• Zonemaster.se observed this DNSSEC outage at 2023-10-22 16:08 GMT+00:00
  • (archive.ph copy)
• zonemaster.net observed this DNSSEC outage at 2023-10-22 16:08 GMT+00:00
  • (archive.ph copy)

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

[T] ci. 86400 IN DS 60224 8 2 0fb751f1b2230b9ef643ddce8c30acd1e7cc20fa7d52346ca074a32b8f01c686
;; Domain: ci.
[B] ci. 7200 IN DNSKEY 257 3 8 ;{id = 60224 (ksk), size = 1024b}
ci. 7200 IN DNSKEY 256 3 8 ;{id = 36075 (zsk), size = 1024b}
[U] No data found for: ci. type A
;;[S] self sig OK; [B] bogus; [T] trusted; [U] unsigned

Logfile examples

• [1697872667] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 204.61.216.120
• [1697872968] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 128.223.32.35
• [1697873156] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 204.61.216.120
• [1697873666] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 192.134.0.49
• [1697879655] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 192.134.0.49 for key ci. while building chain of trust
• [1697879792] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 196.216.168.30 for key ci. while building chain of trust
• [1697879915] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 196.49.0.84 for key ci. while building chain of trust
• [1697880300] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 128.223.32.35 for key ci. while building chain of trust
• [1697903805] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 128.223.32.35 for key ci. while building chain of trust
• [1697934500] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 192.134.0.49
• [1697934634] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 204.61.216.120
• [1697934777] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 128.223.32.35
• [1697939004] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 196.216.168.30
• [1697939633] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 196.49.0.84
• [1697940862] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 128.223.32.35 for key ci. while building chain of trust
• [1697941114] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 196.216.168.30 for key ci. while building chain of trust
• [1697941177] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 196.49.0.84 for key ci. while building chain of trust
• [1697942126] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 192.134.0.49 for key ci. while building chain of trust
• [1697945413] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 128.223.32.35 for key ci. while building chain of trust
• [1697958100] unbound[19739:0] info: validation failure <ci. NS IN>: no signatures from 192.134.0.49
• [1697993221] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 192.134.0.49 for key ci. while building chain of trust
• [1697993494] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 204.61.216.120 for key ci. while building chain of trust
• [1697993596] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 196.216.168.30 for key ci. while building chain of trust
• [1697993741] unbound[19739:0] info: validation failure <ci. NS IN>: No DNSKEY record from 196.49.0.84 for key ci. while building chain of trust
• [1697994461] unbound[19739:0] info: validation failure <www.google.ci. A IN>: key for validation ci. is marked as invalid because of a previous No DNSKEY record