opendnssec.org DNSSEC Outage: 2016-12-31 to 2017-01-01

Updated: January 1, 2017

Overview

This page gives some details on the opendnssec.org DNSSEC outage from December 31, 2016, to January 1, 2017. OpenDNSSEC is used by many people to sign their DNSSEC records, and this is not the first DNSSEC outage for the OpenDNSSEC maintainers.

Timeline / DNSViz

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from December 31, 2016:

opendnssec.org DNSSEC outage, December 31, 2016

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, and instead supports DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries for opendnssec.org during this outage.

$ dig opendnssec.org @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> opendnssec.org @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8715
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;opendnssec.org. IN A

;; AUTHORITY SECTION:
opendnssec.org. 3600 IN SOA ns.kirei.se. hostmaster.kirei.se. 2016033282 14400 3600 1209600 3600

;; Query time: 508 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Dec 31 18:36:17 2016
;; MSG SIZE rcvd: 98


With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec opendnssec.org @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec opendnssec.org @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2516
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;opendnssec.org. IN A

;; Query time: 167 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Dec 31 18:36:17 2016
;; MSG SIZE rcvd: 43

dnscheck

Zonemaster

Logfile examples