.red DNSSEC Outage: 2014-01-20

Updated: March 21, 2018

Overview

Outage date: January 20, 2014

Note that this was an uneven outage: Verisign claims problems, DNSViz doesn't. Unbound reports DNSSEC validation failures, but queries succeed. It is reasonable to believe some DNSSEC implementations failed.

First noticed on Twitter

This discussion on Twitter shows the difficulty in debugging the problem. These are smart people who have immense experience with DNS, and yet, they struggle to comprehend this DNSSEC failure. The root problem is unnecessary complexity.

DNS-OARC

This DNSSEC failure was discussed in [dns-operations] DNSSEC at ICANN: still no check?

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on January 20, 2014:

red dnssec outage

Log entries