NASA DNSSEC Outage: 2014-08-21
Date: August 21, 2014
Overview
This page gives some details on the nasa.gov (NASA) DNSSEC outage of August 21, 2014. It contains unbound logs and citations to Verisign's DNSSEC Debugger and DNSViz. There is also a comparison of OpenDNS and Google Public DNS.
At the time of this writing, previous nasa.gov DNSSEC outages were in January 2012, July 2014, and now August 2014.
Verisign's DNSSEC Debugger
Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on August 21, 2014:
DNSViz
- 2014-08-22 01:49:01 UTC: approximate start of the DNSSEC outage.
- 2014-08-22 03:41:38 UTC: approximate end, despite the bogus RRSIG in one of the DNSKEYs.
OpenDNS vs. Google Public DNS
OpenDNS, without DNSSEC, the query succeeds:
$ dig www.nasa.gov @resolver1.opendns.com
; <<>> DiG 9.4.2-P2 <<>> www.nasa.gov @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55854
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.nasa.gov. IN A
;; ANSWER SECTION:
www.nasa.gov. 343 IN CNAME www.nasawestprime.com.
www.nasawestprime.com. 119 IN CNAME iznasa.hs.llnwd.net.
iznasa.hs.llnwd.net. 301 IN A 208.111.171.236
;; Query time: 16 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Aug 21 22:16:06 2014
;; MSG SIZE rcvd: 114
Google Public DNS, with DNSSEC, the query fails:
$ dig www.nasa.gov @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> www.nasa.gov @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 487
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.nasa.gov. IN A
;; Query time: 31 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 21 22:16:43 2014
;; MSG SIZE rcvd: 30
Log entries
- [1408677687] unbound[11219:0] info: validation failure <jpl.nasa.gov. MX IN>: key for validation nasa.gov. is marked as invalid because of a previous validation failure <earthdata.nasa.gov. MX IN>: no keys have a DS with algorithm RSASHA1 from 198.116.4.181 for key nasa.gov. while building chain of trust
- [1408677696] unbound[11219:0] info: validation failure <nasajobs.nasa.gov. A IN>: key for validation nasa.gov. is marked as invalid because of a previous validation failure <earthdata.nasa.gov. MX IN>: no keys have a DS with algorithm RSASHA1 from 198.116.4.181 for key nasa.gov. while building chain of trust
- [1408677707] unbound[11219:0] info: validation failure <nasa.gov. MX IN>: key for validation nasa.gov. is marked as invalid because of a previous validation failure <earthdata.nasa.gov. MX IN>: no keys have a DS with algorithm RSASHA1 from 198.116.4.181 for key nasa.gov. while building chain of trust