af.mil DNSSEC Outage: 2014-04-16

Date: April 16, 2014

Overview

This page gives some details on the af.mil DNSSEC outage of April 16, 2014. The duration was a little over one hour.

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on April 16, 2014:

af.mil dnssec outage

DNSViz

DNSViz archived outages at 2014-04-16 20:38:53 UTC and 2014-04-16 21:25:42 UTC.

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users could not resolve names under af.mil during this outage.

With OpenDNS, queries succeed:

$ dig ns af.mil @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> ns af.mil @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35031
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;af.mil. IN NS

;; ANSWER SECTION:
af.mil. 5698 IN NS MOLESWORTH-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS HICKAM-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS LACKLAND-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS VANDENBERG-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS LANGLEY-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS SCOTT-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS AVIANO-NS1.AFNOC.af.mil.

;; Query time: 17 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Wed Apr 16 15:45:41 2014
;; MSG SIZE rcvd: 215

With Google Public DNS, queries fail:

$ dig mx af.mil @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> mx af.mil @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62359
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;af.mil. IN MX

;; Query time: 210 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Apr 16 15:43:20 2014
;; MSG SIZE rcvd: 24

Logfile examples