af.mil DNSSEC Outage: 2014-04-16
Date: April 16, 2014
Overview
This page gives some details on the af.mil DNSSEC outage of April 16, 2014. The duration was a little over one hour.
Verisign's DNSSEC Debugger
Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on April 16, 2014:
DNSViz
DNSViz archived outages at 2014-04-16 20:38:53 UTC and 2014-04-16 21:25:42 UTC.
OpenDNS & Google Public DNS
OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users could not resolve names under af.mil during this outage.
With OpenDNS, queries succeed:
$ dig ns af.mil @resolver1.opendns.com
; <<>> DiG 9.4.2-P2 <<>> ns af.mil @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35031
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;af.mil. IN NS
;; ANSWER SECTION:
af.mil. 5698 IN NS MOLESWORTH-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS HICKAM-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS LACKLAND-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS VANDENBERG-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS LANGLEY-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS SCOTT-NS1.AFNOC.af.mil.
af.mil. 5698 IN NS AVIANO-NS1.AFNOC.af.mil.
;; Query time: 17 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Wed Apr 16 15:45:41 2014
;; MSG SIZE rcvd: 215
With Google Public DNS, queries fail:
$ dig mx af.mil @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> mx af.mil @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62359
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;af.mil. IN MX
;; Query time: 210 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Apr 16 15:43:20 2014
;; MSG SIZE rcvd: 24
Logfile examples
- [1397679294] unbound[9457:0] info: validation failure <pac.hq.af.mil. NS IN>: No DNSKEY record from 132.3.29.4 for key af.mil. while building chain of trust
- [1397679304] unbound[9457:0] info: validation failure <macdill.af.mil. NS IN>: key for validation af.mil. is marked as invalid because of a previous validation failure <pac.hq.af.mil. NS IN>: No DNSKEY record from 132.3.29.4 for key af.mil. while building chain of
- [1397679781] unbound[9457:0] info: validation failure <edwards.af.mil. NS IN>: key for validation af.mil. is marked as invalid because of a previous validation failure <travis.af.mil. NS IN>: No DNSKEY record from 132.3.1.4 for key af.mil. while building chain of trust
- [1397684559] unbound[9457:0] info: validation failure <af.mil. SOA IN>: No DNSKEY record from 132.3.41.4 for key af.mil. while building chain of trust