libreswan.org DNSSEC Outage: 2017-04-01

Updated: April 2, 2017

Overview

This page gives some details on the libreswan.org DNSSEC outage on April 1, 2017. It was probably related a DNSSEC failure within nohats.ca, which provides DNS service for libreswan.org.

Timeline

• 2017-04-01 00:24:20 UTC — first personally observed libreswan.org DNSSEC failure
• 2017-04-01 01:49:41 UTC — last personally observed libreswan.org DNSSEC failure

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, and instead supports DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under libreswan.org during this outage.

With OpenDNS, queries succeed:

$ dig www.libreswan.org @resolver1.opendns.com.

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> www.libreswan.org @resolver1.opendns.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10891
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.libreswan.org. IN A

;; ANSWER SECTION:
www.libreswan.org. 7200 IN A 188.127.201.229

;; Query time: 361 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sat Apr 01 00:28:22 UTC 2017
;; MSG SIZE rcvd: 62

With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec www.libreswan.org @8.8.8.8

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> +dnssec www.libreswan.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31427
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.libreswan.org. IN A

;; Query time: 374 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 01 00:28:23 UTC 2017
;; MSG SIZE rcvd: 46

Zonemaster

• zonemaster.net archived "Delegation from parent to child is not properly signed (signature: DNSSEC signature has expired)."
• zonemaster.fr archived "Delegation from parent to child is not properly signed (signature: DNSSEC signature has expired)."

Logfile examples

• [1491006271] unbound[32453:0] info: validation failure <libreswan.org. A IN>: signature expired from 149.56.110.74 for key libreswan.org. while building chain of trust
• [1491011223] unbound[32453:0] info: validation failure <libreswan.org. A IN>: signature expired from 149.56.110.74 for key libreswan.org. while building chain of trust

Related: nohats.ca DNSSEC problems. Briefly:

$ dig +dnssec ns2.nohats.ca @8.8.8.8

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> +dnssec ns2.nohats.ca @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22904
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ns2.nohats.ca. IN A

;; Query time: 3237 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 01 01:37:07 UTC 2017
;; MSG SIZE rcvd: 42

• [1491010473] unbound[75792:0] info: validation failure <ns2.nohats.ca. A IN>: signature expired from 149.56.110.74
• [1491010621] unbound[32453:0] info: validation failure <ns2.nohats.ca. A IN>: signature expired from 149.56.110.74
• [1491010897] unbound[75792:0] info: validation failure <ns2.nohats.ca. A IN>: signature expired from 188.127.201.225
• [1491011220] unbound[32453:0] info: validation failure <ns2.nohats.ca. A IN>: signature expired from 149.56.110.74
• [1491011377] unbound[75792:0] info: validation failure <ns2.nohats.ca. A IN>: signature expired from 149.56.110.74