.kg DNSSEC Outage: 2014-01-01

Date: January 1, 2014

Overview

This page gives some details on the .kg (Kyrgyzstan) DNSSEC outage of January 1, 2014. It contains unbound logs and citations to Verisign's DNSSEC Debugger and DNSViz. There is also a comparison of OpenDNS and Google Public DNS.

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on January 1, 2014:

kg dnssec outage

DNSViz

At 2013-12-31 21:41:40 UTC, DNSViz reports the upcoming RRSIG expirations of 4 DNSKEY records and 2 SOA records, due to TTL values exceeding expiration dates:

By 2014-01-01 17:02:41 UTC, 19 hours and 20 minutes later, there were still some expired RRSIGs and a bogus SOA, but the situation was calming down.

OpenDNS vs. Google Public DNS

OpenDNS, without DNSSEC, the query succeeds:
$ date -u; dig ns kg @resolver1.opendns.com
Wed Jan 1 20:13:33 UTC 2014

; <<>> DiG 9.4.2-P2 <<>> ns kg @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18222
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;kg. IN NS

;; ANSWER SECTION:
kg. 172216 IN NS ns.kg.
kg. 172216 IN NS kg.cctld.authdns.ripe.net.

;; Query time: 17 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Wed Jan 1 14:13:33 2014
;; MSG SIZE rcvd: 76

Google Public DNS, with DNSSEC, the query fails:
$ date -u; dig ns kg @8.8.8.8
Wed Jan 1 20:14:31 UTC 2014

; <<>> DiG 9.4.2-P2 <<>> ns kg @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51029
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;kg. IN NS

;; Query time: 138 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 1 14:14:31 2014
;; MSG SIZE rcvd: 20

Log entries