.lixil TLD DNSSEC Outage: 20160107
Updated: January 7, 2016
This page gives some details on the lixil TLD DNSSEC outage on January 7, 2016.
This was part of a mass TLD DNSSEC outage affecting 10 TLDs, including .toyota, .bridgestone, .epson, .honda, .hyundai, .kia, .komatsu, .lixil, .nec, .ricoh, and .rio. These TLDs all use the same DNS provider:
for tld in bridgestone epson honda hyundai kia komatsu lixil nec ricoh toyota; do dig +short `dig +short ns $tld.` done | sort | uniq -c | sort -rn
That provider most likely had issues which explain the outages. In 8 of 10 TLDs, the outage cause was "no keys have a DS with algorithm RSASHA256." In the case of .ricoh and .toyota, the cause was "signatures from unknown keys."
Timeline / DNSViz
- 2016-01-07 05:39:19 UTC — .toyota bogus DNSSEC delegation
- 2016-01-07 05:46:50 UTC — first personally observed .lixil DNSSEC failure
- 2016-01-07 08:09:46 UTC — last personally observed .lixil DNSSEC failure
-  unbound[24652:0] info: validation failure <lixil. NS IN>: no keys have a DS with algorithm RSASHA256 from 126.96.36.199 for key lixi. while building chain of trust
-  unbound[24652:0] info: validation failure <lixil. NS IN>: no keys have a DS with algorithm RSASHA256 from 188.8.131.52 for key lixi. while building chain of trust