.mm partial DNSSEC Outage: 20140829

Date: August 29, 2014

Overview

This page gives some details on the .mm partial DNSSEC outage of August 29, 2014.

DNSViz

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on August 29, 2014:

August 29, 2014 partial .mm TLD DNSSEC outage

dnscheck.iis.se

The following page requires javascript. dnscheck.iis.se reports expired DNSKEY signatures and "[n]ot enough valid signatures found for mm."

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for some queries under .mm during this partial outage.

With OpenDNS, all queries succeed:

$ dig any mm @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> any mm @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28070
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mm. IN ANY

;; ANSWER SECTION:
mm. 120419 IN NS ns2.nic.net.mm.
mm. 120419 IN NS mm.cctld.authdns.ripe.net.
mm. 120419 IN NS ns0.nic.net.mm.
mm. 120419 IN NS ns1.nic.net.mm.
mm. 2616 IN SOA ns0.nic.net.mm. hostmaster.nic.net.mm. 2014073000 7200 1800 648000 3600

;; Query time: 39 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Aug 29 02:01:29 2014
;; MSG SIZE rcvd: 168


With Google Public DNS, some queries fail:

$ dig any mm @8.8.8.8
;; Truncated, retrying in TCP mode.

; <<>> DiG 9.4.2-P2 <<>> any mm @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45942
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mm. IN ANY

;; Query time: 439 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 29 02:01:08 2014
;; MSG SIZE rcvd: 20