internetsociety.org DNSSEC Outage:
2017-02-19 to 2017-02-20

Updated: February 20, 2017

Overview

This page gives some details on the internetsociety.org DNSSEC outage from February 19 to February 20, 2017. The Internet Society is one of the biggest supporters of DNSSEC and this is not the first DNSSEC outage for Internet Society.

Timeline / DNSViz

2017-02-19 20:40:01 UTC — RRSIGs expire
2017-02-19 20:40:21 UTC — expired RRSIGs
2017-02-20 14:54:03 UTC — expired RRSIGs
2017-02-20 15:58:00 UTC — last personally observed DNSSEC failure
2017-02-20 16:43:22 UTC — DNSSEC outage over

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, to here's a screenshot I took of my web browser's output on February 19, 2017:

internetsociety.org DNSSEC outage, February 19, 2017

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, and instead supports DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under internetsociety.org during this outage.

With OpenDNS, queries succeed:

$ dig www.internetsociety.org @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> www.internetsociety.org @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20277
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.internetsociety.org. IN A

;; ANSWER SECTION:
www.internetsociety.org. 73 IN A 212.110.167.151

;; Query time: 0 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Feb 20 00:06:19 2017
;; MSG SIZE rcvd: 57

With Google Public DNS, with DNSSEC, queries fail:

$ dig +dnssec www.internetsociety.org @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec www.internetsociety.org @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36872
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.internetsociety.org. IN A

;; Query time: 125 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 20 00:06:19 2017
;; MSG SIZE rcvd: 52

Twitter

Reporting the outage, @taihen wrote: "@internetsociety your domain is not resolving anymore: host internetsociety.org ;; connection timed out; no servers could be reached"
Amusingly and unintentionally, @act1983 wrote: "Who Makes the Internet Work: The Internet Ecosystem internetsociety.org/who-makes-inte... #MultiStakeholder #Technology #WCIT #WTPF"
During the DNSSEC outage, @ISOC-DC tweeted "Internet Society joins global commission on the stability of #cyberspace - bit.ly/2m49aM6"

Logfile examples

[1487555223] unbound[62525:0] info: validation failure <www.internetsociety.org. A IN>: signature expired from 65.22.6.1 for key internetsociety.org. while building chain of trust
[1487565532] unbound[62525:0] info: validation failure <internetsociety.org. A IN>: signature expired from 65.22.7.1 for key internetsociety.org. while building chain of trust
[1487606280] unbound[33157:0] info: validation failure <internetsociety.org. A IN>: key for validation internetsociety.org. is marked as invalid because of a previous validation failure <wp.internetsociety.org. A IN>: signature expired from 65.22.8.1 for key internetsociety.org. while building chain of trust