.lat partial DNSSEC Outage: 2015-05-06 to 2015-05-10

Updated: May 10, 2015

Overview

This page gives some details on the .lat partial DNSSEC outage from May 6, 2015 to May 10, 2015. I observed a complete outage (100% failure rate) of the .lat TLD on two Unbound resolvers on different networks. This observation agrees with dnssek.info, which also saw validation failures. I call this a partial outage because I believe it affected only certain software, including Unbound.

Timeline / DNSViz

• 2015-05-06 23:04:40 UTC — no outage, DNS okay. DNSKEYs 55507 and 55504.
• 2015-05-06 23:30:29 UTC — partial outage; DS points to nonexistent DNSKEY (55504 was deleted).
• 2015-05-06 23:31:01 UTC — see above
• 2015-05-06 23:32:32 UTC — see above
• 2015-05-06 23:33:27 UTC — see above
• 2015-05-07 05:03:55 UTC — see above
• 2015-05-07 09:44:47 UTC — see above
• 2015-05-07 15:26:35 UTC — see above
• 2015-05-07 23:04:00 UTC — see above
• 2015-05-08 03:35:48 UTC — see above
• 2015-05-08 09:44:12 UTC — see above
• 2015-05-08 17:04:44 UTC — see above
• 2015-05-08 23:04:08 UTC — see above
• 2015-05-09 05:04:00 UTC — see above
• 2015-05-09 09:47:24 UTC — see above
• 2015-05-09 17:04:38 UTC — see above
• 2015-05-09 23:04:33 UTC — see above
• 2015-05-10 05:04:28 UTC — see above
• 2015-05-10 09:44:41 UTC — partial outage over; DS to DNSKEY 55504 deleted

dnssek.info

dnssek.info is a nice tool for debugging DNSSEC outages, but unfortunately it doesn't archive its findings. So here's a screenshot of my web browser's output:

(click for a full-size image)

Logfile examples

• [1431157393] unbound[3777:0] info: validation failure <lat. NS IN>: no keys have a DS with algorithm RSASHA1 from 200.94.176.1 for key lat. while building chain of trust
• [1431207058] unbound[3777:0] info: validation failure <www.nic.lat. AAAA IN>: no keys have a DS with algorithm RSASHA1 from 200.23.1.1 for key lat. while building chain of trust