defcon.org partial DNSSEC Outage:
June 2017 - July 2017

Updated: July 14, 2017

Overview

This page gives some details on the ongoing defcon.org partial DNSSEC outage that began in June 2017. This partial outage principally affected the American ISP Comcast.

Timeline / DNSViz

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from June 12, 2017:

June 12, 2017 defcon.org DNSSEC outage

dnscheck

Note: dnscheck requires javascript.

Zonemaster

Twitter

Read this from December 2, 2015:

December 2, 2015 partial DNSSEC outage, defcon.org

... and this from June 15, 2017:

June 16 partial DNSSEC outage, defcon.org

... and this from July 10, 2017:

July 11 partial DNSSEC outage, defcon.org

... and @defcon again acknowledging the problem on July 11, 2017:

July 11 partial DNSSEC outage, defcon.org

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: defcon.org.
[B] defcon.org. 86400 IN DNSKEY 256 3 5 ;{id = 1651 (zsk), size = 1024b}
defcon.org. 86400 IN DNSKEY 257 3 5 ;{id = 65416 (ksk), size = 2048b}
defcon.org. 86400 IN DNSKEY 256 3 13 ;{id = 55894 (zsk), size = 256b}
defcon.org. 86400 IN DNSKEY 256 3 7 ;{id = 1802 (zsk), size = 1024b}
defcon.org. 86400 IN DNSKEY 257 3 13 ;{id = 55059 (ksk), size = 256b}
defcon.org. 86400 IN DNSKEY 257 3 7 ;{id = 5991 (ksk), size = 2048b}
[B] defcon.org. 86400 IN A 178.62.233.48
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples