xn--y9a3aq TLD DNSSEC Outage: 2015-07-23 to 2015-07-24

Updated: July 24, 2015

Overview

This page gives some details on the xn--y9a3aq (Armenia) TLD DNSSEC outage from July 23 to July 24, 2015.

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on July 23, 2015:

xn--y9a3aq dnssec outage

Timeline / DNSViz

2015-07-23 18:24:59 UTC — RRSIGs expire
2015-07-23 18:25:17 UTC — expired RRSIGs
2015-07-23 22:53:56 UTC — expired RRSIGs
2015-07-24 03:40:18 UTC — expired RRSIGs
2015-07-24 09:44:42 UTC — expired RRSIGs
2015-07-24 14:51:53 UTC — expired RRSIGs
2015-07-24 21:06:06 UTC — DNSSEC outage over

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under xn--y9a3aq during this outage.

With OpenDNS, queries succeed:

$ dig ns xn--y9a3aq. @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> ns xn--y9a3aq. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37292
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xn--y9a3aq. IN NS

;; ANSWER SECTION:
xn--y9a3aq. 172800 IN NS am.cctld.authdns.ripe.net.
xn--y9a3aq. 172800 IN NS rip.psg.com.
xn--y9a3aq. 172800 IN NS fork.sth.dnsnode.net.
xn--y9a3aq. 172800 IN NS ns-cdn.amnic.net.
xn--y9a3aq. 172800 IN NS ns-pch.amnic.net.
xn--y9a3aq. 172800 IN NS ns-pri.amnic.net.
xn--y9a3aq. 172800 IN NS sns-pb.isc.org.

;; Query time: 94 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Jul 23 18:39:21 2015
;; MSG SIZE rcvd: 220

With Google Public DNS, with DNSSEC, queries fail:

$ dig ns xn--y9a3aq. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> ns xn--y9a3aq. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51710
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xn--y9a3aq. IN NS

;; Query time: 1062 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jul 23 18:39:33 2015
;; MSG SIZE rcvd: 28

dnscheck

dnscheck.labs.nic.cz archived a DNSSEC outage at 2015-07-23 18:26:53 (requires javascript).

dnscheck.iis.se archived a DNSSEC outage at 2015-07-23 18:25:52 (requires javascript).

Zonemaster

Zonemaster archived this xn--y9a3aq DNSSEC outage.

Logfile examples

[1437675889] unbound[18873:0] info: validation failure <xn--y9a3aq. DNSKEY IN>: signature expired from 195.43.74.53 for key xn--y9a3aq. while building chain of trust