.mm (Myanmar) DNSSEC Outage: 20151220 - 20151221

Updated: December 21, 2015

Overview

This page gives some details on the .mm (Myanmar) TLD DNSSEC outage from December 20 to 21, 2015. The outage disrupted all DNS service under .mm, for DNSSEC users, for 21 hours.

DNSViz

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from December 20, 2015: December 20 2015 .mm (Myanmar) TLD DNSSEC outage

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under .mm during this outage.

With OpenDNS, queries succeed:

$ dig google.com.mm. @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> google.com.mm. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52433
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.mm. IN A

;; ANSWER SECTION:
google.com.mm. 300 IN A 216.58.216.228

;; Query time: 29 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Dec 20 07:45:04 2015
;; MSG SIZE rcvd: 47

With Google Public DNS, queries fail:

$ dig +dnssec google.com.mm. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec google.com.mm. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56567
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;google.com.mm. IN A

;; Query time: 717 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Dec 20 07:45:05 2015
;; MSG SIZE rcvd: 42

dnscheck

dnscheck.iis.se shows expired signatures at 2015-12-20 07:26:54. (requires javascript.)

dnscheck.labs.nic.cz shows expired signatures at 2015-12-20 07:27:11. (requires javascript.)

Zonemaster

Zonemaster archived this .mm TLD DNSSEC outage.