xn--pgbs0dh IDN TLD (Tunisia) DNSSEC Outage: 2016-08-20 to 2016-08-22

Updated: August 22, 2016

Overview

This page gives some details on the xn--pgbs0dh IDN TLD DNSSEC outage from August 20 to August 22, 2016.

Timeline / DNSViz

2016-08-20 11:33:35 UTC — RRSIGs expire
2016-08-20 11:34:40 UTC — expired RRSIGs
2016-08-20 16:33:24 UTC — expired RRSIGs
2016-08-20 21:42:13 UTC — expired RRSIGs
2016-08-21 04:32:50 UTC — expired RRSIGs
2016-08-21 10:33:07 UTC — expired RRSIGs
2016-08-21 16:33:25 UTC — expired RRSIGs
2016-08-21 22:33:35 UTC — expired RRSIGs
2016-08-22 00:33:54 UTC — expired RRSIGs
2016-08-22 07:02:19 UTC — expired RRSIGs
2016-08-22 11:12:24 UTC — last personally observed DNSSEC failure

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from July 26, 2016:

August 20, 2016 xn--pgbs0dh TLD DNSSEC outage

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under xn--pgbs0dh during this outage.

$ dig ns xn--pgbs0dh. @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> ns xn--pgbs0dh. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21453
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xn--pgbs0dh. IN NS

;; ANSWER SECTION:
xn--pgbs0dh. 86400 IN NS ns1.ati.tn.
xn--pgbs0dh. 86400 IN NS ns2.ati.tn.

;; Query time: 21 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Aug 20 14:53:27 2016
;; MSG SIZE rcvd: 71

With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec ns xn--pgbs0dh. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec ns xn--pgbs0dh. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62079
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;xn--pgbs0dh. IN NS

;; Query time: 120 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Aug 20 14:53:27 2016
;; MSG SIZE rcvd: 40

dnscheck

dnscheck.labs.nic.cz shows expired RRSIGs (requires javascript).

dnscheck.iis.se shows expired RRSIGs (requires javascript).

Zonemaster

zonemaster.net archived "Delegation from parent to child is not properly signed (signature: DNSSEC signature has expired)."

zonemaster.fr archived "Delegation from parent to child is not properly signed (signature: DNSSEC signature has expired)."

Logfile examples

[1471703481] unbound[30043:0] info: validation failure <xn--pgbs0dh. NS IN>: signature expired from 193.95.67.22 for key xn--pgbs0dh. while building chain of trust
[1471703606] unbound[30043:0] info: validation failure <xn--pgbs0dh. NS IN>: signature expired from 193.95.66.10 for key xn--pgbs0dh. while building chain of trust
[1471735214] unbound[9597:0] info: validation failure <www.dnssec.xn--pgbs0dh. A IN>: signature expired from 193.95.67.22 for key xn--pgbs0dh. while building chain of trust
[1471864344] unbound[12762:0] info: validation failure <xn--pgbs0dh. NS IN>: signature expired from 193.95.66.10 for key xn--pgbs0dh. while building chain of trust