nic.in DNSSEC Outage: 2017-04-22

Updated: April 23, 2017

Overview

This page gives some details on the nic.in DNSSEC outage on April 22, 2017.

Timeline / DNSViz

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from April 22, 2017:

April 22, 2017 nic.in DNSSEC outage

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under opendnssec.org during this outage.

$ dig mx nic.in. @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> mx nic.in. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61721
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nic.in. IN MX

;; ANSWER SECTION:
nic.in. 1500 IN MX 0 mailgw.nic.in.

;; Query time: 271 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Apr 23 04:05:16 2017
;; MSG SIZE rcvd: 47


With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec mx nic.in. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec mx nic.in. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26220
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;nic.in. IN MX

;; Query time: 340 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 23 04:05:17 2017
;; MSG SIZE rcvd: 35

Zonemaster

dnscheck

Logfile examples