.mil (US Military) DNSSEC Outage: 2015-12-09 to 2015-12-10

Updated: December 10, 2015

Overview

This page gives some details on the .mil TLD DNSSEC outage from December 9 to December 10, 2015.

DNSViz / Timeline

• 2015-12-09 19:21:15 UTC: first personally observed DNSSEC failure
• 2015-12-09 20:05:38 UTC: bogus DNSSEC delegation
• 2015-12-09 20:56:05 UTC: bogus DNSSEC delegation
• 2015-12-09 21:02:20 UTC: bogus DNSSEC delegation
• 2015-12-09 21:17:33 UTC: bogus DNSSEC delegation
• 2015-12-09 21:29:37 UTC: bogus DNSSEC delegation
• 2015-12-09 22:53:44 UTC: bogus DNSSEC delegation
• 2015-12-10 00:16:44 UTC: bogus DNSSEC delegation
• 2015-12-10 00:19:37 UTC: bogus DNSSEC delegation
• 2015-12-10 02:33:55 UTC: last personally observed DNSSEC failure
• 2015-12-10 02:36:45 UTC: outage debris, but DNSSEC outage essentially over

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from December 6, 2015:

dnscheck

dnscheck.labs.nic.cz shows "The zone mil has published DS records, but none of them work." at 2015-12-09 22:04:51. (requires javascript.)

dnscheck.iis.se was having database troubles, as is often the case, but finally admitted that "The zone mil has published DS records, but none of them work." at 2015-12-09 22:04:53. (requires javascript.)

Zonemaster

Zonemaster archived this .mil TLD DNSSEC outage.

Logfile examples

• [1449689493] unbound[25266:0] info: validation failure <army.mil. A IN>: signatures from unknown keys from 199.252.180.234 for DS army.mil. while building chain of trust
• [1449701259] unbound[25266:0] info: validation failure <usfj.mil. A IN>: key for validation mil. is marked as invalid because of a previous validation failure <army.mil. A IN>: no keys have a DS with algorithm RSASHA256 from 199.252.143.234 for key mil. while building chain of trust