root-dnssec.org DNSSEC Outage: 2014-11-19

Updated: November 21, 2014

Overview

This page gives some details on the root-dnssec.org DNSSEC outage of November 18 to 19, 2014. It contains unbound logs, citations to DNSViz and dnscheck.iis.se.

Verisign's DNSSEC Debugger

Since Verisign doesn't archive outages, here's a screenshot I took on November 19, 2014:

DNSViz

2014-11-18 22:22:58 UTC: Bogus delegation
2014-11-19 06:23:19 UTC: Bogus delegation
2014-11-19 11:45:17 UTC: Bogus delegation
2014-11-19 12:44:40 UTC: Bogus delegation
2014-11-19 13:30:48 UTC: Bogus delegation
2014-11-19 14:12:21 UTC: Bogus delegation
2014-11-19 15:26:56 UTC: Bogus delegation
2014-11-19 20:18:02 UTC: NO_SEP_FOR_SOME_ALGS; MISSING_ALGS_FROM_DS
2014-11-19 20:42:23 UTC: NO_SEP_FOR_SOME_ALGS; MISSING_ALGS_FROM_DS
2014-11-19 20:55:24 UTC: NO_SEP_FOR_SOME_ALGS; MISSING_ALGS_FROM_DS
2014-11-19 21:23:40 UTC: NO_SEP_FOR_SOME_ALGS; MISSING_ALGS_FROM_DS
2014-11-20 00:16:25 UTC: NO_SEP_FOR_SOME_ALGS; MISSING_ALGS_FROM_DS
2014-11-20 01:20:12 UTC: Still seeing DNSSEC failures in Unbound. Check logs below for examples.
2014-11-20 01:25:23 UTC: NO_SEP_FOR_SOME_ALGS; MISSING_ALGS_FROM_DS
2014-11-20 14:23:08 UTC: NO_SEP_FOR_SOME_ALGS; MISSING_ALGS_FROM_DS
2014-11-20 21:36:27 UTC: okay

dnscheck.iis.se

The following link requires javascript, and shows some details about the outage: http://dnscheck.iis.se/?time=1416397831&id=4372617&view=basic&test=standard

OpenDNS vs. Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users could not resolve names under root-dnssec.org during this outage.

With OpenDNS, queries succeed:

$ drill -D www.root-dnssec.org @resolver1.opendns.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 12451
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.root-dnssec.org. IN A

;; ANSWER SECTION:
www.root-dnssec.org. 28800 IN CNAME wp.vip.icann.org.
wp.vip.icann.org. 30 IN A 192.0.32.23

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 109 msec
;; EDNS: version 0; flags: ; udp: 4096
;; SERVER: 208.67.222.222
;; WHEN: Wed Nov 19 11:49:52 2014
;; MSG SIZE rcvd: 91

With Google Public DNS, queries fail:

$ drill -D www.root-dnssec.org @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 32553
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.root-dnssec.org. IN A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 100 msec
;; EDNS: version 0; flags: do ; udp: 512
;; SERVER: 8.8.8.8
;; WHEN: Wed Nov 19 11:48:57 2014
;; MSG SIZE rcvd: 48

Log entries

[1416397407] unbound[6665:0] info: validation failure <root-dnssec.org. A IN>: no keys have a DS with algorithm RSASHA1 from 199.4.138.53 for key root-dnssec.org. while building chain of trust
[1416399790] unbound[6665:0] info: validation failure <www.root-dnssec.org. A IN>: no keys have a DS with algorithm RSASHA1 from 199.43.133.53 for key root-dnssec.org. while building chain of trust
[1416402071] unbound[6665:0] info: validation failure <root-dnssec.org. DNSKEY IN>: no keys have a DS with algorithm RSASHA1 from 199.43.134.53 for key root-dnssec.org. while building chain of trust
[1416403692] unbound[6665:0] info: validation failure <root-dnssec.org. TXT IN>: no keys have a DS with algorithm RSASHA1 from 199.43.132.53 for key root-dnssec.org. while building chain of trust
[1416441940] unbound[12974:0] info: validation failure <www.root-dnssec.org. A IN>: no keys have a DS with algorithm RSASHA1 from 199.43.133.53 for key root-dnssec.org. while building chain of trust
[1416442755] unbound[19465:0] info: validation failure <root-dnssec.org. A IN>: no keys have a DS with algorithm RSASHA1 from 199.4.138.53 for key root-dnssec.org. while building chain of trust
[1416446410] unbound[19465:0] info: validation failure <root-dnssec.org. NS IN>: no keys have a DS with algorithm RSASHA1 from 199.43.132.53 for key root-dnssec.org. while building chain of trust