.nec TLD DNSSEC Outage: 20160107
Updated: January 7, 2016
Overview
This page gives some details on the nec TLD DNSSEC outage on January 7, 2016.
This was part of a mass TLD DNSSEC outage affecting 10 TLDs, including .toyota, .bridgestone, .epson, .honda, .hyundai, .kia, .komatsu, .lixil, .nec, .ricoh, and .rio. These TLDs all use the same DNS provider:
for tld in bridgestone epson honda hyundai kia komatsu lixil nec ricoh toyota; do dig +short `dig +short ns $tld.` done | sort | uniq -c | sort -rn
10 37.209.198.9
10 37.209.196.9
10 37.209.194.9
10 37.209.192.9
That provider most likely had issues which explain the outages. In 8 of 10 TLDs, the outage cause was "no keys have a DS with algorithm RSASHA256." In the case of .ricoh and .toyota, the cause was "signatures from unknown keys."
Timeline / DNSViz
- 2016-01-07 05:39:19 UTC — .toyota bogus DNSSEC delegation
- 2016-01-07 05:49:11 UTC — first personally observed .nec DNSSEC failure
- 2016-01-07 08:09:15 UTC — last personally observed .nec DNSSEC failure
Logfile examples
- [1452145751] unbound[24652:0] info: validation failure <nec. NS IN>: no keys have a DS with algorithm RSASHA256 from 37.209.192.4 for key nec. while building chain of trust
- [1452154155] unbound[24652:0] info: validation failure <nec. A IN>: no keys have a DS with algorithm RSASHA256 from 37.209.192.4 for key nec. while building chain of trust