.komatsu TLD DNSSEC Outage: 20160107

Updated: January 7, 2016

Overview

This page gives some details on the komatsu TLD DNSSEC outage on January 7, 2016.

This was part of a mass TLD DNSSEC outage affecting 10 TLDs, including .toyota, .bridgestone, .epson, .honda, .hyundai, .kia, .komatsu, .lixil, .nec, .ricoh, and .rio. These TLDs all use the same DNS provider:

for tld in bridgestone epson honda hyundai kia komatsu lixil nec ricoh toyota; do
        dig +short `dig +short ns $tld.`
done | sort | uniq -c | sort -rn

10 37.209.198.9
10 37.209.196.9
10 37.209.194.9
10 37.209.192.9

That provider most likely had issues which explain the outages. In 8 of 10 TLDs, the outage cause was "no keys have a DS with algorithm RSASHA256." In the case of .ricoh and .toyota, the cause was "signatures from unknown keys."

Timeline / DNSViz

• 2016-01-07 05:39:19 UTC — .toyota bogus DNSSEC delegation
• 2016-01-07 05:46:05 UTC — first personally observed .komatsu DNSSEC failure
• 2016-01-07 08:09:33 UTC — last personally observed .komatsu DNSSEC failure

Logfile examples

• [1452145565] unbound[24652:0] info: validation failure <komatsu. NS IN>: no keys have a DS with algorithm RSASHA256 from 37.209.194.4 for key komatsu. while building chain of trust
• [1452154173] unbound[24652:0] info: validation failure <komatsu. NS IN>: no keys have a DS with algorithm RSASHA256 from 37.209.194.4 for key komatsu. while building chain of trust