.mm partial DNSSEC Outage: 2014-08-29
Date: August 29, 2014
Overview
This page gives some details on the .mm partial DNSSEC outage of August 29, 2014.
DNSViz
- 2014-08-29 06:20:01 UTC — expired RRSIGs for DNSKEY and SOA records
- 2014-08-29 16:29:55 UTC — all problems resolved
Verisign's DNSSEC Debugger
Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on August 29, 2014:
dnscheck.iis.se
The following page requires javascript. dnscheck.iis.se reports expired DNSKEY signatures and "[n]ot enough valid signatures found for mm."
OpenDNS & Google Public DNS
OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for some queries under .mm during this partial outage.
With OpenDNS, all queries succeed:
$ dig any mm @resolver1.opendns.com
; <<>> DiG 9.4.2-P2 <<>> any mm @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28070
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mm. IN ANY
;; ANSWER SECTION:
mm. 120419 IN NS ns2.nic.net.mm.
mm. 120419 IN NS mm.cctld.authdns.ripe.net.
mm. 120419 IN NS ns0.nic.net.mm.
mm. 120419 IN NS ns1.nic.net.mm.
mm. 2616 IN SOA ns0.nic.net.mm. hostmaster.nic.net.mm. 2014073000 7200 1800 648000 3600
;; Query time: 39 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Aug 29 02:01:29 2014
;; MSG SIZE rcvd: 168
With Google Public DNS, some queries fail:
$ dig any mm @8.8.8.8
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.4.2-P2 <<>> any mm @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45942
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mm. IN ANY
;; Query time: 439 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 29 02:01:08 2014
;; MSG SIZE rcvd: 20