NASA DNSSEC Outage: 2014-08-21

Date: August 21, 2014

Overview

This page gives some details on the nasa.gov (NASA) DNSSEC outage of August 21, 2014. It contains unbound logs and citations to Verisign's DNSSEC Debugger and DNSViz. There is also a comparison of OpenDNS and Google Public DNS.

At the time of this writing, previous nasa.gov DNSSEC outages were in January 2012, July 2014, and now August 2014.

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on August 21, 2014:

NASA DNSSEC Outage

DNSViz

OpenDNS vs. Google Public DNS

OpenDNS, without DNSSEC, the query succeeds:

$ dig www.nasa.gov @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> www.nasa.gov @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55854
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nasa.gov. IN A

;; ANSWER SECTION:
www.nasa.gov. 343 IN CNAME www.nasawestprime.com.
www.nasawestprime.com. 119 IN CNAME iznasa.hs.llnwd.net.
iznasa.hs.llnwd.net. 301 IN A 208.111.171.236

;; Query time: 16 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Aug 21 22:16:06 2014
;; MSG SIZE rcvd: 114


Google Public DNS, with DNSSEC, the query fails:

$ dig www.nasa.gov @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> www.nasa.gov @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 487
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nasa.gov. IN A

;; Query time: 31 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 21 22:16:43 2014
;; MSG SIZE rcvd: 30

Log entries