kg DNSSEC Outage: 2015-01-01

Updated: January 3, 2015

Overview

This page gives some details on the kg TLD DNSSEC outage from January 1 to January 2, 2015. The outage lasted over 24 hours.

Timeline / DNSViz

• 2014-12-31 23:59:59 UTC — RRSIGs expire
• 2015-01-01 01:50:31 UTC — expired RRSIGs
• 2015-01-01 08:28:48 UTC — expired RRSIGs
• 2015-01-01 16:22:14 UTC — expired RRSIGs
• 2015-01-01 19:21:29 UTC — expired RRSIGs
• 2015-01-01 20:41:55 UTC — expired RRSIGs
• 2015-01-01 21:48:31 UTC — expired RRSIGs
• 2015-01-01 22:55:10 UTC — expired RRSIGs
• 2015-01-02 00:12:25 UTC — expired RRSIGs
• 2015-01-02 03:51:33 UTC — expired RRSIGs
• 2015-01-02 06:14:45 UTC — expired RRSIGs
• 2015-01-02 06:26:36 UTC — approximate end of the outage
• 2015-01-02 07:57:56 UTC — Bogus SOA and outage debris
• 2015-01-02 11:24:31 UTC — Bogus SOA and outage debris
• 2015-01-02 11:29:47 UTC — Bogus SOA and outage debris
• 2015-01-02 15:12:21 UTC — Fixed; no longer broken/damaged by DNSSEC

Verisign's DNSSEC Debugger

Here's a screenshot I took on January 1, 2015, of the DNSSEC Debugger output:

OpenDNS vs. Google Public DNS

While Google Public DNS supports DNSSEC, OpenDNS supports the superior DNSCurve, which is (among other advantages) immune to DNSSEC failures. During this outage, Google failed to resolve names under kg while OpenDNS worked normally.

With OpenDNS, queries succeed:

$ dig www.dailynews.kg @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> www.dailynews.kg @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41400
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dailynews.kg. IN A

;; ANSWER SECTION:
www.dailynews.kg. 3600 IN A 95.56.234.82

;; Query time: 786 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Jan 1 19:39:09 2015
;; MSG SIZE rcvd: 50

---

With Google Public DNS, queries fail:

$ dig www.dailynews.kg @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> www.dailynews.kg @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10405
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dailynews.kg. IN A

;; Query time: 341 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 1 19:38:44 2015
;; MSG SIZE rcvd: 34

dnscheck.iis.se

dnscheck.iis.se archived a DNSSEC outage at 2015-01-01 13:22:26 (requires javascript).

Logfile examples

• [1420071008] unbound[5574:0] info: validation failure <kg. NS IN>: signature expired from 193.0.9.84 for key kg. while building chain of trust
• [1420141334] unbound[5574:0] info: validation failure <www.university.kg. A IN>: signature expired from 195.38.160.36 for key kg. while building chain of trust
• [1420141356] unbound[5574:0] info: validation failure <kg. SOA IN>: key for validation kg. is marked as invalid because of a previous validation failure <www.university.kg. A IN>: signature expired from 195.38.160.36 for key kg. while building chain of trust
• [1420142133] unbound[5574:0] info: validation failure <kg. NS IN>: signature expired from 193.0.9.84 for key kg. while building chain of trust
• [1420179696] unbound[32233:0] info: validation failure <kg. NS IN>: signature expired from 195.38.160.36 for key kg. while building chain of trust