defcon.org partial DNSSEC Outage:
June 2017 - July 2017
Updated: July 14, 2017
Overview
This page gives some details on the ongoing defcon.org partial DNSSEC outage that began in June 2017. This partial outage principally affected the American ISP Comcast.
Timeline / DNSViz
- 2017-06-11 04:13:40 UTC — expired RRSIGs
- 2017-06-18 20:13:46 UTC — expired RRSIGs
- 2017-06-25 20:13:11 UTC — expired RRSIGs
- 2017-07-02 20:13:35 UTC — expired RRSIGs
- 2017-07-11 00:46:43 UTC — expired RRSIGs
- 2017-07-14 03:18:06 UTC — expired RRSIGs
- 2017-07-14 03:26:55 UTC — partial outage
- 2017-07-14 04:32:57 UTC — debris, but DNSSEC outage essentially over
DNSSEC Debugger
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from July 11, 2017:
Read this from December 2, 2015:
... and this from June 15, 2017:
... and this from July 10, 2017:
... and @defcon again acknowledging the problem on July 11, 2017:
Logfile examples
- [1497216596] unbound[61085:0] info: validation failure <www.defcon.org. A IN>: signature expired from 193.70.13.218 for key defcon.org. while building chain of trust
- [1497239098] unbound[61085:0] info: validation failure <defcon.org. MX IN>: signature expired from 193.70.13.218 for key defcon.org. while building chain of trust
- [1499956252] unbound[1814:0] info: validation failure <defcon.org. A IN>: signature missing from 162.222.171.195 for key defcon.org. while building chain of trust