www.nsf.gov/A DNSSEC Outage: 2016-07-22 to 2016-07-24
Updated: December 30, 2016
Overview
This page gives some details on the www.nsf.gov/A DNSSEC outage from July 22 to July 24, 2016. It was not the first DNSSEC outage for the National Science Foundation.
Timeline / DNSViz
- 2016-07-22 05:41:18 UTC — Bogus RRSIG
- 2016-07-22 05:45:16 UTC — Bogus RRSIG
- 2016-07-22 13:10:30 UTC — Bogus RRSIG
- 2016-07-24 17:59:50 UTC — last personally observed DNSSEC failure
OpenDNS vs. Google Public DNS
OpenDNS does not support DNSSEC, and instead supports DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for www.nsf.gov/A queries during this outage.
With OpenDNS, without DNSSEC, DNS works:
$ dig www.nsf.gov @resolver1.opendns.com.
; <<>> DiG 9.4.2-P2 <<>> www.nsf.gov @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65296
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.nsf.gov. IN A
;; ANSWER SECTION:
www.nsf.gov. 346 IN A 204.14.135.126
;; Query time: 0 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Jul 22 05:45:08 2016
;; MSG SIZE rcvd: 45
With Google Public DNS, because of DNSSEC, queries fail:
$ dig +dnssec www.nsf.gov @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> +dnssec www.nsf.gov @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22248
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.nsf.gov. IN A
;; Query time: 74 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jul 22 05:45:08 2016
;; MSG SIZE rcvd: 40
Logfile examples
- [1469166305] unbound[11076:0] info: validation failure <www.nsf.gov. A IN>: signature crypto failed from 204.14.134.227
- [1469304545] unbound[14991:0] info: validation failure <www.nsf.gov. A IN>: signature crypto failed from 204.14.134.227
- [1469383190] unbound[14991:0] info: validation failure <www.nsf.gov. A IN>: signature crypto failed from 204.14.134.227