220.in-addr.arpa DNSSEC Outage: 2016-03-15

Updated: March 16, 2016

Overview

This page gives some details on the 220.in-addr.arpa DNSSEC outage on March 15, 2016. It was part of a huge APNIC DNSSEC outage.

Timeline / DNSViz

• 2016-03-15 01:12:13 UTC — bogus DNSSEC delegation
• 2016-03-15 06:24:32 UTC — bogus DNSSEC delegation
• 2016-03-15 12:27:29 UTC — bogus DNSSEC delegation
• 2016-03-15 17:11:48 UTC — DNSSEC errors, but outage apparently over
• 2016-03-16 16:54:30 UTC — last personally observed DNSSEC failure (due to caching)

dns-operations list

This DNSSEC outage was discussed in the thread [dns-operations] APNIC reverse zone are broken.

apnic-talk list

The outage was acknowledged in the thread [apnic-talk] Update on APNIC IPv4 reverse DNS zones validation.

It was also discussed in [apnic-talk] APNIC reverse DNS zones validation.

Twitter

The @apnic Twitter account discussed the DNSSEC outage here and here.

OpenDNS vs. Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under 220.in-addr.arpa during this outage.

With OpenDNS, queries succeed:

; <<>> DiG 9.4.2-P2 <<>> ns 220.in-addr.arpa @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53620
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;220.in-addr.arpa. IN NS

;; ANSWER SECTION:
220.in-addr.arpa. 86400 IN NS ns2.lacnic.net.
220.in-addr.arpa. 86400 IN NS apnic1.dnsnode.net.
220.in-addr.arpa. 86400 IN NS ns3.apnic.net.
220.in-addr.arpa. 86400 IN NS ns4.apnic.net.
220.in-addr.arpa. 86400 IN NS ns1.apnic.net.
220.in-addr.arpa. 86400 IN NS apnic.authdns.ripe.net.
220.in-addr.arpa. 86400 IN NS tinnie.arin.net.

;; Query time: 203 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Mar 15 13:10:02 2016
;; MSG SIZE rcvd: 210

---

With Google Public DNS, because of DNSSEC, queries fail:

; <<>> DiG 9.4.2-P2 <<>> +dnssec ns 220.in-addr.arpa @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30980
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;220.in-addr.arpa. IN NS

;; Query time: 181 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Mar 15 13:10:02 2016
;; MSG SIZE rcvd: 45

Zonemaster

Zonemaster archived this 220.in-addr.arpa DNSSEC outage.

dnscheck

dnscheck.iis.se shows a broken DNSSEC delegation (requires javascript).

dnscheck.labs.nic.cz shows a broken DNSSEC delegation (requires javascript).

Logfile examples

• [1458147270] unbound[7048:0] info: validation failure <220.in-addr.arpa. NS IN>: key for validation 220.in-addr.arpa. is marked as invalid because of a previous validation failure <220.in-addr.arpa. NS IN>: no keys have a DS with algorithm RSASHA1 from 200.3.13.11 for key 220.in-addr.arpa. while building chain of trust