dnscrypt.pl DNSSEC Outage:
2017-08-20 to 2017-08-22
Updated: August 23, 2017
Overview
This page gives some details on the dnscrypt.pl DNSSEC outage from August 20 to August 22, 2017. This site has had multiple DNSSEC outages.
Timeline / DNSViz
- 2017-08-20 21:39:14 UTC — RRSIGs expire
- 2017-08-20 21:40:01 UTC — expired RRSIGs
- 2017-08-20 21:43:12 UTC — expired RRSIGs
- 2017-08-20 21:45:01 UTC — expired RRSIGs
- 2017-08-21 01:29:49 UTC — expired RRSIGs
- 2017-08-21 10:33:03 UTC — expired RRSIGs
- 2017-08-21 22:04:05 UTC — expired RRSIGs
- 2017-08-22 01:46:27 UTC — expired RRSIGs
- 2017-08-22 10:05:06 UTC — expired RRSIGs
- 2017-08-22 16:36:00 UTC — last personally observed DNSSEC failure
- 2017-08-22 23:03:33 UTC — DNSSEC outage over
DNSSEC Debugger
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from August 20, 2017:
Google Public DNS, with/without DNSSEC
With DNSSEC enabled, queries fail:
$ dig +dnssec a dnscrypt.pl. @8.8.8.8
; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec a dnscrypt.pl. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23899
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dnscrypt.pl. IN A
;; Query time: 319 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 20 21:43:25 UTC 2017
;; MSG SIZE rcvd: 40
You have to disable DNSSEC to make DNS work:
$ dig +cd a dnscrypt.pl. @8.8.8.8
; <<>> DiG 9.10.3-P4-Debian <<>> +cd a dnscrypt.pl. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43216
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dnscrypt.pl. IN A
;; ANSWER SECTION:
dnscrypt.pl. 86399 IN A 178.62.233.48
;; Query time: 185 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Aug 20 21:43:26 UTC 2017
;; MSG SIZE rcvd: 56
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):
;; Domain: dnscrypt.pl.
[B] dnscrypt.pl. 86400 IN DNSKEY 257 3 5 ;{id = 65416 (ksk), size = 2048b}
dnscrypt.pl. 86400 IN DNSKEY 257 3 13 ;{id = 55059 (ksk), size = 256b}
dnscrypt.pl. 86400 IN DNSKEY 257 3 7 ;{id = 5991 (ksk), size = 2048b}
dnscrypt.pl. 86400 IN DNSKEY 256 3 5 ;{id = 1651 (zsk), size = 1024b}
dnscrypt.pl. 86400 IN DNSKEY 256 3 7 ;{id = 1802 (zsk), size = 1024b}
dnscrypt.pl. 86400 IN DNSKEY 256 3 13 ;{id = 55894 (zsk), size = 256b}
[B] dnscrypt.pl. 86400 IN A 178.62.233.48
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted
Logfile examples
- [1503269480] unbound[7251:0] info: validation failure <www.dnscrypt.pl. A IN<: signature expired from 193.70.13.218 for key dnscrypt.pl. while building chain of trust
- [1503278744] unbound[7251:0] info: validation failure <dnscrypt.pl. MX IN>: signature expired from 79.98.145.34 for key dnscrypt.pl. while building chain of trus
- [1503419760] unbound[9220:0] info: validation failure <www.dnscrypt.pl. A IN>: signature expired from 193.70.13.218 for key dnscrypt.pl. while building chain of trust