knot-dns.cz Partial DNSSEC Outage: 20140822

Date: August 22, 2014

Overview

This page gives some details on the knot-dns.cz partial DNSSEC outage of August 22, 2014. It contains citations to Verisign's DNSSEC Debugger and DNSViz, a Twitter conversation between knot-dns.cz and a user. There is also a comparison of OpenDNS and Google Public DNS.

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on August 22, 2014:

knot-dns.cz Partial DNSSEC Outage

DNSViz

DNSViz did not report any problems during the time in question.

OpenDNS vs. Google Public DNS

OpenDNS, without DNSSEC, the query succeeds:

$ dig www.knot-dns.cz @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> www.knot-dns.cz @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6851
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.knot-dns.cz. IN A

;; ANSWER SECTION:
www.knot-dns.cz. 1800 IN A 217.31.205.55

;; Query time: 150 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Aug 23 02:37:31 2014
;; MSG SIZE rcvd: 49


Google Public DNS, with DNSSEC, the query fails::

$ dig www.knot-dns.cz @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> www.knot-dns.cz @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55372
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.knot-dns.cz. IN A

;; Query time: 280 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Aug 23 02:37:08 2014
;; MSG SIZE rcvd: 33

First noticed on Twitter

This partial outage was first reported by a user on Twitter.