pch.net DNSSEC Outage: 2016-09-13

Updated: September 13, 2016

Overview

This page gives some details on the pch.net DNSSEC outage on September 13, 2016. According to their website, "PCH is the largest authoritative DNS service network in the world, hosting three roots and 280 top-level domains on thousands of servers in more than 100 locations around the world. PCH is also the operator of the only FIPS 140-2 Level 4 DNSSEC signing platform other than the root itself."

Timeline / DNSViz

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under www.pch.net during this outage.

With OpenDNS, which doesn't support DNSSEC, queries succeed:

$ dig pch.net @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> pch.net @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43610
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;pch.net. IN A

;; ANSWER SECTION:
pch.net. 300 IN A 206.220.231.31

;; Query time: 2 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Sep 13 12:01:12 2016
;; MSG SIZE rcvd: 41

With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec pch.net @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec pch.net @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17105
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;pch.net. IN A

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Sep 13 12:01:12 2016
;; MSG SIZE rcvd: 36

Zonemaster

Logfile examples