internetsociety.org DNSSEC Outage:
2017-02-19 to 2017-02-20
Updated: February 20, 2017
Overview
This page gives some details on the internetsociety.org DNSSEC outage from February 19 to February 20, 2017. The Internet Society is one of the biggest supporters of DNSSEC and this is not the first DNSSEC outage for Internet Society.
Timeline / DNSViz
- 2017-02-19 20:40:01 UTC — RRSIGs expire
- 2017-02-19 20:40:21 UTC — expired RRSIGs
- 2017-02-20 14:54:03 UTC — expired RRSIGs
- 2017-02-20 15:58:00 UTC — last personally observed DNSSEC failure
- 2017-02-20 16:43:22 UTC — DNSSEC outage over
Verisign's DNSSEC Debugger
Verisign doesn't archive test results, to here's a screenshot I took of my web browser's output on February 19, 2017:
OpenDNS & Google Public DNS
OpenDNS does not support DNSSEC, and instead supports DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under internetsociety.org during this outage.
With OpenDNS, queries succeed:
$ dig www.internetsociety.org @resolver1.opendns.com.
; <<>> DiG 9.4.2-P2 <<>> www.internetsociety.org @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20277
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.internetsociety.org. IN A
;; ANSWER SECTION:
www.internetsociety.org. 73 IN A 212.110.167.151
;; Query time: 0 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Feb 20 00:06:19 2017
;; MSG SIZE rcvd: 57
With Google Public DNS, with DNSSEC, queries fail:
$ dig +dnssec www.internetsociety.org @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> +dnssec www.internetsociety.org @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36872
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.internetsociety.org. IN A
;; Query time: 125 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 20 00:06:19 2017
;; MSG SIZE rcvd: 52
- Reporting the outage, @taihen wrote: "@internetsociety your domain is not resolving anymore: host internetsociety.org ;; connection timed out; no servers could be reached"
- Amusingly and unintentionally, @act1983 wrote: "Who Makes the Internet Work: The Internet Ecosystem internetsociety.org/who-makes-inte... #MultiStakeholder #Technology #WCIT #WTPF"
- During the DNSSEC outage, @ISOC-DC tweeted "Internet Society joins global commission on the stability of #cyberspace - bit.ly/2m49aM6"
Logfile examples
- [1487555223] unbound[62525:0] info: validation failure <www.internetsociety.org. A IN>: signature expired from 65.22.6.1 for key internetsociety.org. while building chain of trust
- [1487565532] unbound[62525:0] info: validation failure <internetsociety.org. A IN>: signature expired from 65.22.7.1 for key internetsociety.org. while building chain of trust
- [1487606280] unbound[33157:0] info: validation failure <internetsociety.org. A IN>: key for validation internetsociety.org. is marked as invalid because of a previous validation failure <wp.internetsociety.org. A IN>: signature expired from 65.22.8.1 for key internetsociety.org. while building chain of trust