xn--pgbs0dh IDN TLD (Tunisia) DNSSEC Outage: 2016-07-26 to 2016-07-29

Updated: July 29, 2016

Overview

This page gives some details on the xn--pgbs0dh IDN TLD DNSSEC outage from July 26 to July 29, 2016.

Timeline / DNSViz

2016-07-26 19:18:47 UTC — RRSIGs expire
2016-07-26 19:20:11 UTC — expired RRSIGs
2016-07-27 16:33:41 UTC — expired RRSIGs
2016-07-28 16:33:06 UTC — expired RRSIGs
2016-07-29 10:33:17 UTC — expired RRSIGs
2016-07-29 13:59:00 UTC — last personally observed DNSSEC failure

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from July 26, 2016:

July 26, 2016 xn--pgbs0dh TLD DNSSEC outage

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under xn--pgbs0dh during this outage.

$ dig ns xn--pgbs0dh. @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> ns xn--pgbs0dh. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32032
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xn--pgbs0dh. IN NS

;; ANSWER SECTION:
xn--pgbs0dh. 86400 IN NS ns1.ati.tn.
xn--pgbs0dh. 86400 IN NS ns2.ati.tn.

;; Query time: 237 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Jul 26 19:40:39 2016
;; MSG SIZE rcvd: 71

With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec ns xn--pgbs0dh. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec ns xn--pgbs0dh. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6958
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;xn--pgbs0dh. IN NS

;; Query time: 132 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 26 19:40:39 2016
;; MSG SIZE rcvd: 40

dnscheck

dnscheck.labs.nic.cz shows expired RRSIGs (requires javascript).

dnscheck.iis.se shows expired RRSIGs (requires javascript).

Zonemaster

zonemaster.net archived "Delegation from parent to child is not properly signed (signature: DNSSEC signature has expired)."

zonemaster.fr archived "Delegation from parent to child is not properly signed (signature: DNSSEC signature has expired)."

Logfile examples

[1469562373] unbound[8509:0] info: validation failure <xn--pgbs0dh. NS IN>: signature expired from 193.95.66.10 for key xn--pgbs0dh. while building chain of trust
[1469800740] unbound[2100:0] info: validation failure <xn--pgbs0dh. NS IN>: signature expired from 193.95.66.10 for key xn--pgbs0dh. while building chain of trust