xn--y9a3aq TLD DNSSEC Outage: 2015-06-25 to 2015-06-26

Updated: June 27, 2015

Overview

This page gives some details on the xn--y9a3aq TLD DNSSEC outage from June 25, 2015 to June 26, 2015.

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on June 25, 2015:

Timeline / DNSViz

• 2015-06-25 18:53:36 UTC — RRSIGs expire
• 2015-06-25 18:56:44 UTC — expired RRSIGs
• 2015-06-25 20:18:45 UTC — expired RRSIGs
• 2015-06-25 23:06:34 UTC — expired RRSIGs
• 2015-06-26 05:08:08 UTC — expired RRSIGs
• 2015-06-26 09:44:04 UTC — expired RRSIGs
• 2015-06-26 15:48:32 UTC — expired RRSIGs
• 2015-06-26 21:31:43 UTC — some expired RRSIGs
• 2015-06-27 00:05:20 UTC — DNSSEC outage completely over

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under xn--y9a3aq during this outage.

With OpenDNS, queries succeed:

$ dig ns xn--y9a3aq. @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> ns xn--y9a3aq. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41820
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xn--y9a3aq. IN NS

;; ANSWER SECTION:
xn--y9a3aq. 172800 IN NS rip.psg.com.
xn--y9a3aq. 172800 IN NS fork.sth.dnsnode.net.
xn--y9a3aq. 172800 IN NS am.cctld.authdns.ripe.net.
xn--y9a3aq. 172800 IN NS sns-pb.isc.org.
xn--y9a3aq. 172800 IN NS ns-cdn.amnic.net.
xn--y9a3aq. 172800 IN NS ns-pch.amnic.net.
xn--y9a3aq. 172800 IN NS ns-pri.amnic.net.

;; Query time: 195 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Jun 25 19:10:14 2015
;; MSG SIZE rcvd: 220

---

With Google Public DNS, with DNSSEC, queries fail:

$ dig ns xn--y9a3aq. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> ns xn--y9a3aq. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40615
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xn--y9a3aq. IN NS

;; Query time: 86 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jun 25 19:10:21 2015
;; MSG SIZE rcvd: 28

dnscheck

dnscheck.labs.nic.cz archived a DNSSEC outage at 2015-06-25 18:57:47 (requires javascript).

dnscheck.iis.se archived a DNSSEC outage at 2015-06-25 18:57:04 (requires javascript).

Zonemaster

Zonemaster archived this xn--y9a3aq DNSSEC outage.

Logfile examples

• [1435260089] unbound[25133:0] info: validation failure <nic.xn--y9a3aq. A IN>: signature expired from 193.0.9.57 for key xn--y9a3aq. while building chain of trust
• [1435260290] unbound[25133:0] info: validation failure <xn--y9a3aq. SOA IN>: signature expired from 77.72.229.254 for key xn--y9a3aq. while building chain of trust
• [1435260545] unbound[25133:0] info: validation failure <xn--y9a3aq. TXT IN>: signature expired from 194.0.1.26 for key xn--y9a3aq. while building chain of trust
• [1435260657] unbound[26398:0] info: validation failure <xn--y9a3aq. NS IN>: signature expired from 195.43.74.53 for key xn--y9a3aq. while building chain of trust
• [1435273369] unbound[1323:0] info: validation failure <xn--y9a3aq. NS IN>: signature expired from 204.61.216.96 for key xn--y9a3aq. while building chain of trust