kg DNSSEC Outage: 20150101

Updated: January 3, 2015

Overview

This page gives some details on the kg TLD DNSSEC outage from January 1 to January 2, 2015. The outage lasted over 24 hours.

Timeline / DNSViz

Verisign's DNSSEC Debugger

Here's a screenshot I took on January 1, 2015, of the DNSSEC Debugger output:

kg TLD DNSSEC outage 2015-01-01

OpenDNS vs. Google Public DNS

While Google Public DNS supports DNSSEC, OpenDNS supports the superior DNSCurve, which is (among other advantages) immune to DNSSEC failures. During this outage, Google failed to resolve names under kg while OpenDNS worked normally.

With OpenDNS, queries succeed:

$ dig www.dailynews.kg @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> www.dailynews.kg @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41400
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dailynews.kg. IN A

;; ANSWER SECTION:
www.dailynews.kg. 3600 IN A 95.56.234.82

;; Query time: 786 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Jan 1 19:39:09 2015
;; MSG SIZE rcvd: 50


With Google Public DNS, queries fail:

$ dig www.dailynews.kg @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> www.dailynews.kg @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10405
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dailynews.kg. IN A

;; Query time: 341 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 1 19:38:44 2015
;; MSG SIZE rcvd: 34

dnscheck.iis.se

dnscheck.iis.se archived a DNSSEC outage at 2015-01-01 13:22:26 (requires javascript).

Logfile examples