root-dnssec.org DNSSEC Outage: 2014-11-19

Updated: November 21, 2014

Overview

This page gives some details on the root-dnssec.org DNSSEC outage of November 18 to 19, 2014. It contains unbound logs, citations to DNSViz and dnscheck.iis.se.

Verisign's DNSSEC Debugger

Since Verisign doesn't archive outages, here's a screenshot I took on November 19, 2014:

root-dnssec.org DNSSEC Outage

DNSViz

dnscheck.iis.se

The following link requires javascript, and shows some details about the outage: http://dnscheck.iis.se/?time=1416397831&id=4372617&view=basic&test=standard

OpenDNS vs. Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users could not resolve names under root-dnssec.org during this outage.

With OpenDNS, queries succeed:

$ drill -D www.root-dnssec.org @resolver1.opendns.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 12451
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.root-dnssec.org. IN A

;; ANSWER SECTION:
www.root-dnssec.org. 28800 IN CNAME wp.vip.icann.org.
wp.vip.icann.org. 30 IN A 192.0.32.23

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 109 msec
;; EDNS: version 0; flags: ; udp: 4096
;; SERVER: 208.67.222.222
;; WHEN: Wed Nov 19 11:49:52 2014
;; MSG SIZE rcvd: 91


With Google Public DNS, queries fail:

$ drill -D www.root-dnssec.org @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 32553
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.root-dnssec.org. IN A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 100 msec
;; EDNS: version 0; flags: do ; udp: 512
;; SERVER: 8.8.8.8
;; WHEN: Wed Nov 19 11:48:57 2014
;; MSG SIZE rcvd: 48

Log entries