opendnssec.org DNSSEC Outage: 2016-12-31 to 2017-01-01
Updated: January 1, 2017
Overview
This page gives some details on the opendnssec.org DNSSEC outage from December 31, 2016, to January 1, 2017. OpenDNSSEC is used by many people to sign their DNSSEC records, and this is not the first DNSSEC outage for the OpenDNSSEC maintainers.
Timeline / DNSViz
- 2016-12-31 18:36:27 UTC — Missing DNSKEY and Missing SOA RRSIG
- 2016-12-31 18:55:58 UTC — Bogus DNSSEC delegation
- 2016-12-31 19:30:26 UTC — Bogus DNSSEC delegation
- 2016-12-31 23:39:27 UTC — Bogus DNSSEC delegation
- 2017-01-01 03:41:02 UTC — Bogus DNSSEC delegation
- 2017-01-01 11:24:09 UTC — Bogus DNSSEC delegation
- 2017-01-01 14:38:38 UTC — last personally observed DNSSEC failure
- 2017-01-01 15:22:00 UTC — DNSSEC outage debris remains
DNSSEC Debugger
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from December 31, 2016:
OpenDNS & Google Public DNS
OpenDNS does not support DNSSEC, and instead supports DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries for opendnssec.org during this outage.
$ dig opendnssec.org @resolver1.opendns.com.
; <<>> DiG 9.4.2-P2 <<>> opendnssec.org @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8715
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;opendnssec.org. IN A
;; AUTHORITY SECTION:
opendnssec.org. 3600 IN SOA ns.kirei.se. hostmaster.kirei.se. 2016033282 14400 3600 1209600 3600
;; Query time: 508 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Dec 31 18:36:17 2016
;; MSG SIZE rcvd: 98
With Google Public DNS, because of DNSSEC, queries fail:
$ dig +dnssec opendnssec.org @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> +dnssec opendnssec.org @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2516
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;opendnssec.org. IN A
;; Query time: 167 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Dec 31 18:36:17 2016
;; MSG SIZE rcvd: 43
dnscheck
- dnscheck.labs.nic.cz found "Not enough valid signatures over SOA RRset found for opendnssec.org" (requires javascript).
- dnscheck.iis.se found "Not enough valid signatures over SOA RRset found for opendnssec.org" (requires javascript).
Zonemaster
- zonemaster.net found "No signature correctly signed the NSEC RRset."
- zonemaster.fr found "No signature correctly signed the NSEC RRset."
Logfile examples
- [1483209373] unbound[16007:0] info: validation failure <opendnssec.org. A IN>: no signatures from 91.123.201.115 for <opendnssec.org. SOA IN>
- [1483209514] unbound[16007:0] info: validation failure <www.opendnssec.org. A IN>: signatures from unknown keys from 185.49.141.14
- [1483209580] unbound[16007:0] info: validation failure <opendnssec.org. A IN>: signatures from unknown keys from 192.36.115.53 for <opendnssec.org. SOA IN>
- [1483209870] unbound[16007:0] info: validation failure <www.opendnssec.org. A IN>: signatures from unknown keys from 91.123.201.115
- [1483209942] unbound[16007:0] info: validation failure <opendnssec.org. A IN>: no signatures from 185.49.141.14 for <opendnssec.org. SOA IN>
- [1483281518] unbound[60595:0] info: validation failure <www.opendnssec.org. A IN>: signatures from unknown keys from 185.49.141.14 for DS www.opendnssec.org. while building chain of trust