fashion partial DNSSEC Outage: 2014-12-07

Date: December 7, 2014

Overview

This page gives some details on the fashion TLD partial DNSSEC outage of December 7, 2014. The outage was partial, affecting some deployments but not all. My unbound resolver was unaffected, while e.g. Google Public DNS (the Internet's biggest DNSSEC deployment) failed. Root problem: fashion is delegated to nic.fashion nameservers, and nic.fashion had a DNSSEC outage.

Timeline

Verisign's DNSSEC Debugger

Verisign showed fashion to be okay. Here's a screenshot I took of the nic.fashion DNSSEC Debugger output:

December 7, 2014 fashion TLD DNSSEC outage

OpenDNS vs. Google Public DNS

While Google Public DNS supports DNSSEC, OpenDNS supports the superior DNSCurve, which is (among other advantages) immune to DNSSEC failures. During this outage, Google failed to resolve names under fashion while OpenDNS worked normally.

With OpenDNS, queries succeed:

$ dig whois.nic.fashion. @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> whois.nic.fashion. @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20397
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;whois.nic.fashion. IN A

;; ANSWER SECTION:
whois.nic.fashion. 100 IN A 217.112.159.143

;; Query time: 54 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Dec 7 16:48:47 2014
;; MSG SIZE rcvd: 51


With Google Public DNS, queries fail:

$ dig whois.nic.fashion. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> whois.nic.fashion. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16085
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;whois.nic.fashion. IN A

;; Query time: 165 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Dec 7 16:48:13 2014
;; MSG SIZE rcvd: 35

Logfile examples