.nec TLD DNSSEC Outage: 20160107
Updated: January 7, 2016
This page gives some details on the nec TLD DNSSEC outage on January 7, 2016.
This was part of a mass TLD DNSSEC outage affecting 10 TLDs, including .toyota, .bridgestone, .epson, .honda, .hyundai, .kia, .komatsu, .lixil, .nec, .ricoh, and .rio. These TLDs all use the same DNS provider:
for tld in bridgestone epson honda hyundai kia komatsu lixil nec ricoh toyota; do dig +short `dig +short ns $tld.` done | sort | uniq -c | sort -rn
That provider most likely had issues which explain the outages. In 8 of 10 TLDs, the outage cause was "no keys have a DS with algorithm RSASHA256." In the case of .ricoh and .toyota, the cause was "signatures from unknown keys."
Timeline / DNSViz
- 2016-01-07 05:39:19 UTC — .toyota bogus DNSSEC delegation
- 2016-01-07 05:49:11 UTC — first personally observed .nec DNSSEC failure
- 2016-01-07 08:09:15 UTC — last personally observed .nec DNSSEC failure
-  unbound[24652:0] info: validation failure <nec. NS IN>: no keys have a DS with algorithm RSASHA256 from 22.214.171.124 for key nec. while building chain of trust
-  unbound[24652:0] info: validation failure <nec. A IN>: no keys have a DS with algorithm RSASHA256 from 126.96.36.199 for key nec. while building chain of trust