libsodium.org & dnscrypt.org DNSSEC Outages: 2016-04-26

Updated: May 1, 2016

Overview

This page gives some details on the libsodium.org and dnscrypt.org DNSSEC outages on April 26, 2016.

Note: DNSCrypt and DNSSEC are separate technologies. Running DNSCrypt, which is a fantastic technology and great for DNS security, won't condemn you to outages. However, the owner of dnscrypt.org (and libsodium.org) supports DNSSEC on his domains, and has thus had some DNSSEC outages. Here is one of them.

Timeline / DNSViz

2016-04-26 12:49:52 UTC — dnscrypt.org RRSIGs expire
2016-04-26 12:52:42 UTC — expired RRSIGs for dnscrypt.org
2016-04-26 12:53:03 UTC — expired RRSIGs for libsodium.org
2016-04-26 16:55:48 UTC — libsodium.org DNSSEC outage over
2016-04-26 18:24:22 UTC — dnscrypt.org DNSSEC outage over

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here are screenshots of my web browser's output from April 26, 2016:

April 26, 2016 libsodium.org DNSSEC outage

April 26, 2016 dnscrypt.org DNSSEC outage

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under .mm during this outage.

With OpenDNS, queries succeed (dnscrypt.org):

$ dig dnscrypt.org. @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> dnscrypt.org. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65350
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dnscrypt.org. IN A

;; ANSWER SECTION:
dnscrypt.org. 10000 IN A 91.121.49.42

;; Query time: 124 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Apr 26 12:53:15 2016
;; MSG SIZE rcvd: 46

With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec dnscrypt.org. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec dnscrypt.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44301
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dnscrypt.org. IN A

;; Query time: 242 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 26 12:53:15 2016
;; MSG SIZE rcvd: 41

With OpenDNS, queries succeed (libsodium.org):

$ dig libsodium.org. @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> libsodium.org. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64387
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;libsodium.org. IN A

;; ANSWER SECTION:
libsodium.org. 10000 IN A 91.121.49.42

;; Query time: 143 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Apr 26 12:56:02 2016
;; MSG SIZE rcvd: 47

With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec libsodium.org. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec libsodium.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37361
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;libsodium.org. IN A

;; Query time: 248 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 26 12:56:03 2016
;; MSG SIZE rcvd: 42

dnscheck

dnscheck.iis.se, which requires javascript, shows:

expired signatures for dnscrypt.org at 2016-04-26 12:53:32
expired signatures for libsodium.org at 2016-04-26 12:59:45

dnscheck.labs.nic.cz, which requires javascript, shows:

expired signatures for dnscrypt.org at 2016-04-26 12:54:08
expired signatures for libsodium.org at 2016-04-26 13:00:55

Zonemaster

Zonemaster archived expired signatures for libsodium.org.

Twitter

This DNSSEC outage was mentioned on Twitter.