.red DNSSEC Outage: 20140120

Updated: January 21, 2014

Overview

Outage date: January 20, 2014

Note that this was an uneven outage: Verisign claims problems, DNSViz doesn't. Unbound reports DNSSEC validation failures, but queries succeed. It is reasonable to believe some DNSSEC implementations failed.

First noticed on Twitter

This discussion on Twitter shows the difficulty in debugging the problem. These are smart people who have immense experience with DNS, and yet, they struggle to comprehend this DNSSEC failure. The root problem is unnecessary complexity.

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on January 20, 2014:

red dnssec outage

DNSViz

DNSViz did not report any problems.

Log entries