.win TLD DNSSEC Outage: 2016-11-10

Updated: November 11, 2016

Overview

This page gives some details on the win TLD DNSSEC outage on November 10, 2016. It was a short outage.

Timeline / DNSViz

• 2016-11-10 23:19:07 UTC — first personally observed DNSSEC failure
• 2016-11-10 23:19:52 UTC — Bogus SOA, other DNSSEC problems

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under win TLD during this outage.

With OpenDNS, which doesn't support DNSSEC, queries succeed:

$ dig win @resolver1.opendns.com.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> win @resolver1.opendns.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30637
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;win. IN A

;; AUTHORITY SECTION:
win. 3600 IN SOA ns1.dns.nic.WIN. hostmaster.neustar.biz. 1048277 900 900 604800 7200

;; Query time: 45 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Nov 10 23:19:42 UTC 2016
;; MSG SIZE rcvd: 105

---

With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec win @8.8.8.8

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec win @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39117
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;win. IN A

;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Nov 10 23:19:42 UTC 2016
;; MSG SIZE rcvd: 32

With Google DNS, and with DNSSEC disabled, queries succeed:

$ dig +cd win @8.8.8.8

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +cd win @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7151
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;win. IN A

;; AUTHORITY SECTION:
win. 1799 IN SOA ns1.dns.nic.win. hostmaster.neustar.biz. 1048277 900 900 604800 7200

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Nov 10 23:19:42 UTC 2016
;; MSG SIZE rcvd: 102

Zonemaster

• zonemaster.net archived "Delegation from parent to child is not properly signed (no_signature)."
• zonemaster.fr archived "Delegation from parent to child is not properly signed (no_signature)."

Logfile examples

• [1478819947] unbound[95521:0] info: validation failure <win. NS IN>: no signatures from 156.154.159.182
• [1478820213] unbound[95521:0] info: validation failure <win. NS IN>: no signatures from 156.154.144.182 for key win. while building chain of trust