firmdale DNSSEC Outage: 2014-12-06

Date: December 6, 2014

Overview

This page gives some details on the firmdale TLD DNSSEC outage of December 6, 2014. It lasted roughly 5.5 hours.

Timeline

2014-12-06 09:41:55 UTC: RRSIGs expire
2014-12-06 13:53:57 UTC: expired signatures (DNSViz)
2014-12-06 14:58:02 UTC: expired signatures (DNSViz)
2014-12-06 15:50:54 UTC: expired signatures (DNSViz)
2014-12-06 17:07:54 UTC: expired signatures (DNSViz)
2014-12-06 18:07:09 UTC: expired signatures (DNSViz)
2014-12-06 19:01:12 UTC: Last observed DNSSEC failure (Unbound log; see below)
2014-12-06 19:20:37 UTC: DNSSEC outage over (DNSViz)

Verisign's DNSSEC Debugger

Here's a screenshot I took of the DNSSEC Debugger output:

December 6, 2014 .firmdale TLD DNSSEC outage

OpenDNS vs. Google Public DNS

While Google Public DNS supports DNSSEC, OpenDNS supports the superior DNSCurve, which is (among other advantages) immune to DNSSEC failures. During this outage, Google failed to resolve names under firmdale while OpenDNS worked normally.

With OpenDNS, queries succeed:

$ dig whois.nic.firmdale @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> whois.nic.firmdale @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17863
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;whois.nic.firmdale. IN A

;; ANSWER SECTION:
whois.nic.firmdale. 3600 IN A 103.19.25.195

;; Query time: 237 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Dec 6 15:57:50 2014
;; MSG SIZE rcvd: 52

With Google Public DNS, queries fail:

$ dig whois.nic.firmdale @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> whois.nic.firmdale @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2307
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;whois.nic.firmdale. IN A

;; Query time: 527 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Dec 6 15:58:29 2014
;; MSG SIZE rcvd: 36

dnscheck.iis.se

dnscheck.iis.se keeps an archive that requires javascript to be viewed. Have a look at dnscheck's view of the firmdale outage.

Logfile examples

[1417859238] unbound[8671:0] info: validation failure <firmdale. NS IN>: signature expired from 72.0.51.1 for key FIRMDALE. while building chain of trust
[1417860783] unbound[8671:0] info: validation failure <firmdale. NS IN>: signature expired from 72.42.115.1 for key FIRMDALE. while building chain of trust
[1417877414] unbound[8671:0] info: validation failure <whois.nic.firmdale. A IN>: signature expired from 72.42.115.1 for key FIRMDALE. while building chain of trust
[1417877425] unbound[8671:0] info: validation failure <nic.firmdale. MX IN>: key for validation FIRMDALE. is marked as invalid because of a previous validation failure <whois.nic.firmdale. A IN>: signature expired from 72.42.115.1 for key FIRMDALE. while building chain of trust
[1417881883] unbound[8671:0] info: validation failure <whois.nic.firmdale. A IN>: signature expired from 72.0.51.1 for key FIRMDALE. while building chain of trust
[1417884376] unbound[292:0] info: validation failure <firmdale. SOA IN>: signature expired from 72.42.115.1 for key FIRMDALE. while building chain of trust
[1417886764] unbound[292:0] info: validation failure <firmdale. TXT IN>: signature expired from 72.42.115.1 for key FIRMDALE. while building chain of trust
[1417890722] unbound[3615:0] info: validation failure <nic.firmdale. A IN>: signature expired from 72.0.51.1 for key FIRMDALE. while building chain of trust
[1417891545] unbound[3615:0] info: validation failure <9ec360ee2631b857296b794a053228e4.firmdale. A IN>: signature expired from 72.0.51.1 for key FIRMDALE. while building chain of trust
[1417892472] unbound[3615:0] info: validation failure <firmdale. NS IN>: signature expired from 72.42.115.1 for key FIRMDALE. while building chain of trust