.red DNSSEC Outage: 2014-01-20
Updated: March 21, 2018
Overview
Outage date: January 20, 2014
Note that this was an uneven outage: Verisign claims problems, DNSViz doesn't. Unbound reports DNSSEC validation failures, but queries succeed. It is reasonable to believe some DNSSEC implementations failed.
First noticed on Twitter
This discussion on Twitter shows the difficulty in debugging the problem. These are smart people who have immense experience with DNS, and yet, they struggle to comprehend this DNSSEC failure. The root problem is unnecessary complexity.
DNS-OARC
This DNSSEC failure was discussed in [dns-operations] DNSSEC at ICANN: still no check?
Verisign's DNSSEC Debugger
Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on January 20, 2014:
Log entries
- [1390241389] unbound[8751:0] info: validation failure <c0.nic.red. A IN>: no DNSSEC records from 65.22.37.25 for DS c0.nic.red. while building chain of trust
- [1390241389] unbound[8751:0] info: validation failure <a0.nic.red. A IN>: no DNSSEC records from 65.22.36.25 for DS a0.nic.red. while building chain of trust
- [1390241389] unbound[8751:0] info: validation failure <b0.nic.red. A IN>: no DNSSEC records from 65.22.39.25 for DS b0.nic.red. while building chain of trust
- [1390241389] unbound[8751:0] info: validation failure <a2.nic.red. A IN>: no DNSSEC records from 65.22.38.25 for DS a2.nic.red. while building chain of trust
- [1390241796] unbound[8751:0] info: validation failure <nic.red. SOA IN>: no signatures from 65.22.37.25
- [1390241797] unbound[8751:0] info: validation failure <nic.red. A IN>: no signatures from 65.22.36.25
- [1390241798] unbound[8751:0] info: validation failure <nic.red. MX IN>: no signatures from 65.22.37.25
- [1390241798] unbound[8751:0] info: validation failure <nic.red. NS IN>: no signatures from 65.22.37.25
- [1390241799] unbound[8751:0] info: validation failure <nic.red. TXT IN>: no signatures from 65.22.36.25
- [1390244003] unbound[8751:0] info: validation failure <nic.red. NS IN>: no signatures from 65.22.39.25
- [1390244049] unbound[8751:0] info: validation failure <nic.red. SOA IN>: no signatures from 65.22.36.25