.mm DNSSEC Outage: 2014-07-30
Updated: October 6, 2014
Overview
This page gives some details on the .mm DNSSEC outage of July 30, 2014. The duration was approximately 4.5 hours.
DNSViz
- 2014-07-30 03:17:09 UTC: Beginning of the outage
- 2014-07-30 08:31:57 UTC: Outage is resolved
OpenDNS & Google Public DNS
OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for names under .mm during this outage.
With OpenDNS, queries succeed:
$ dig www.google.com.mm @resolver1.opendns.com
; <<>> DiG 9.4.2-P2 <<>> www.google.com.mm @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13671
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com.mm. IN A
;; ANSWER SECTION:
www.google.com.mm. 300 IN A 74.125.225.119
www.google.com.mm. 300 IN A 74.125.225.127
www.google.com.mm. 300 IN A 74.125.225.120
www.google.com.mm. 300 IN A 74.125.225.111
;; Query time: 401 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Jul 29 22:40:39 2014
;; MSG SIZE rcvd: 99
With Google Public DNS, queries fail:
$ dig www.google.com.mm @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> www.google.com.mm @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1418
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com.mm. IN A
;; Query time: 1264 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 29 22:40:16 2014
;; MSG SIZE rcvd: 35
Logfile examples
- [1406690724] unbound[19610:0] info: validation failure <www.dca.gov.mm. A IN>: signature expired from 193.0.9.96 for key mm. while building chain of trust
- [1406706208] unbound[1754:0] info: validation failure <mm. NS IN>: signature expired from 203.81.64.20 for key mm. while building chain of trust