Major DNSSEC Outages and Validation Failures

Updated: February 28, 2017

This page lists only DNSSEC failures that have the potential to cause downtime for a significant number of domains, users, or both. It does not list smaller outages such as dominos.com ($1.425 Billion in yearly revenue), the Government of California, or other such "small" organizations. They are too frequent to mention. Technical and media/content organizations are held to a higher standard.

Principal sources of information: DNSViz, Verisign's DNSSEC Debugger, Zonemaster, dnscheck.iis.se, dnscheck.labs.nic.cz, and Unbound logs. Discussions on technical mailing lists are also used as sources.

Note: DNSViz has lost a portion of its archives multiple times, turning many citations on this page into 404s. And until recently, the dnssec-deployment.org mailing list archives were down for around 5 months, producing more 404s. Constant DNSSEC outages desensitize people to downtime, making them think it's normal.

Root servers

TLD DNSSEC outages

Major sites

Long DNSSEC outages

The median duration of a DNSSEC outage is 8 days. The following may or may not concern large organizations, but when duration is taken into account, a major outage is implied. Bidding starts at 1 DNSSEC-year.

Terminology note: The duration of the coveted 1000-day DNSSEC outage is known as a kiloday.

Software

Miscellaneous

DNSSEC Failure Modes

What a mess

DNSSEC is not encrypted, which is responsible for many of its failures. Rather than doing per-message/packet encryption like other secure protocols, DNSSEC was made compatable with censorship and surveillance. To enable censorship and surveillance, an extremely complex and thus fragile protocol was required, thereby resulting in outages, semi-outages, and sometimes just plain bizarre situations. Here are some examples:

Hall of Fame DNSSEC Outages