.is (Iceland) DNSSEC Outage: 20160125
Updated: January 25, 2016
Overview
This page gives some details on the .is (Iceland) TLD DNSSEC outage on January 25, 2016. The outage was confirmed through unbound logs, a DNSViz report, and ISNIC itself.
Timeline / DNSViz
This outage disrupted service to domains under is, which otherwise seemed okay (at least according to DNSViz). So DNSViz didn't catch it at is, but it did archive a google.is DNSSEC outage that is clearly taking place within is. The specific outage shown by DNSViz (bogus DNSKEY) matches the error messages in my logs (unknown keys), thus confirming the outage.
- 2016-01-25 14:49:26 UTC — first personally observed .is DNSSEC failure
- 2016-01-25 15:19:50 UTC — last personally observed .is DNSSEC failure
- 2016-01-25 15:26:41 UTC — google.is DNSSEC failure shows a bogus, active DNSKEY within .is
- 2016-01-25 15:28:12 UTC — google.is DNSSEC failure shows a bogus, active DNSKEY within .is
ISNIC, the .is registry, has the twitter account @isnic. It reported: "A temporary DNSSEC problem at ISNIC was solved about 10 min. ago - sorry."
Logfile examples
- [1453733366] unbound[23103:0] info: validation failure <is. A IN>: signatures from unknown keys for <is. SOA IN> from 192.5.4.1
- [1453733537] unbound[23103:0] info: validation failure <net.is. NS IN>: signatures from unknown keys for <is. SOA IN> from 194.146.106.58
- [1453733596] unbound[23103:0] info: validation failure <org.is. NS IN>: signatures from unknown keys for <is. SOA IN> from 130.208.16.20
- [1453734011] unbound[23103:0] info: validation failure <com.is. A IN>: signatures from unknown keys for <is. SOA IN> from 130.208.16.20
- [1453734280] unbound[23103:0] info: validation failure <gov.is. NS IN>: signatures from unknown keys for <is. SOA IN> from 130.208.16.20
- [1453734328] unbound[23103:0] info: validation failure <int.is. A IN>: signatures from unknown keys for <is. SOA IN> from 130.208.16.20
- [1453735190] unbound[23103:0] info: validation failure <edu.is. NS IN>: signatures from unknown keys for <gftj95deae2q0nb586m91hm3666eco2n.is. NSEC3 IN> from 192.36.125.2