.sx Partial DNSSEC Outage: 2014-09-25

Date: September 25, 2014

Overview

This page gives some details on the .sx (Sint Maarten) partial DNSSEC outage of September 25, 2014. It contains unbound logs, citations to DNSViz and archive.org.

Verisign's DNSSEC Debugger

The website was down, possibly in relation to the bash bug branded as Shellshock.

DNSViz

• 2014-09-24 15:34:03 UTC: bogus CNAME NSEC — this DNSSEC failure is actually expected for .sx, which is long-term broken in this regard.
• 2014-09-24 21:59:10 UTC: bogus SOA, bogus CNAME NSEC...
• 2014-09-24 21:59:10 UTC: bogus SOA, bogus CNAME NSEC
• 2014-09-25 01:18:46 UTC: bogus SOA, bogus CNAME NSEC
• 2014-09-25 06:17:37 UTC: bogus SOA, bogus CNAME NSEC
• 2014-09-25 11:08:05 UTC: bogus CNAME NSEC — things are "okay" again by DNSSEC standards.

dnssek.info

Here's an archive.org snapshot of dnssek.info showing an outage. dnssek.info is an interesting site that visualizes RRSIG expirations and other DNSSEC failures.

Log entries

• [1411607007] unbound[3281:0] info: validation failure <sx. A IN>: no signatures from 80.92.90.160
• [1411607756] unbound[3281:0] info: validation failure <dnssec.sx. A IN>: no DNSSEC records from 80.92.90.160 for DS dnssec.sx. while building chain of trust
• [1411608478] unbound[3281:0] info: validation failure <xvns2l7ctjixo4gg.sx. A IN>: covering NSEC3 was not opt-out in an opt-out DS NOERROR/NODATA case from 89.207.184.65 for DS xvns2l7ctjixo4gg.sx. while building chain of trust