dnscrypt.org DNSSEC Outage: 2016-06-20 to 2016-06-22

Updated: June 22, 2016

Overview

This page gives some details on the dnscrypt.org DNSSEC outage from June 20 to June 22, 2016.

Timeline / DNSViz

2016-06-20 18:25:03 UTC — bogus RRSIGs
2016-06-20 23:47:51 UTC — bogus RRSIGs
2016-06-21 00:54:36 UTC — bogus RRSIGs
2016-06-21 10:24:17 UTC — bogus RRSIGs
2016-06-21 15:09:37 UTC — bogus RRSIGs
2016-06-21 18:27:17 UTC — bogus RRSIGs
2016-06-22 00:07:45 UTC — bogus RRSIGs
2016-06-22 05:10:44 UTC — bogus RRSIGs
2016-06-22 10:24:08 UTC — bogus RRSIGs
2016-06-22 18:24:54 UTC — bogus RRSIGs
2016-06-22 20:26:53 UTC — last personally observed dnscrypt.org DNSSEC failure

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from June 20, 2016:

June 20, 2016 dnscrypt.org DNSSEC outage

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under dnscrypt.org during this outage.

With OpenDNS, queries succeed (dnscrypt.org):

; <<>> DiG 9.4.2-P2 <<>> www.dnscrypt.org. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57228
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnscrypt.org. IN A

;; ANSWER SECTION:
www.dnscrypt.org. 10000 IN A 37.59.238.213

;; Query time: 97 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Jun 21 00:48:12 2016
;; MSG SIZE rcvd: 50

With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec www.dnscrypt.org. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec www.dnscrypt.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53648
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.dnscrypt.org. IN A

;; Query time: 251 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jun 21 00:48:12 2016
;; MSG SIZE rcvd: 45

dnscheck

Note: dnscheck doesn't support DNSSEC signature algorithm 13, ECDSAP256SHA256. So even correctly configured DNSSEC sites show failure — see this example (cloudflare.com was not failing at the time of this test). The following links are provided for posterity.

dnscheck.labs.nic.cz doesn't support DNSSEC algorithm 13 (requires javascript).

dnscheck.iis.se doesn't support DNSSEC algorithm 13 (requires javascript).

Zonemaster

zonemaster.net archived bogus signatures for dnscrypt.org.

zonemaster.fr archived bogus signatures for dnscrypt.org.

Logfile examples

[1466466449] unbound[27574:0] info: validation failure <dnscrypt.org. A IN>: use of signature for ECDSA crypto failed from 78.194.219.1 for key dnscrypt.org. while building chain of trust
[1466532550] unbound[9824:0] info: validation failure <www.dnscrypt.org. A IN>: use of signature for ECDSA crypto failed from 37.59.238.213 for key dnscrypt.org. while building chain of trust
[1466627213] unbound[11562:0] info: validation failure <www.dnscrypt.org. A IN>: key for validation dnscrypt.org. is marked as invalid because of a previous validation failure <dnscrypt.org. A IN>: use of signature for ECDSA crypto failed from 78.194.219.1 for key dnscrypt.org. while building chain of trust