dnssek.info DNSSEC Outage: 2017-08-31

Date: August 31, 2017

Overview

This page gives some details on the dnssek.info DNSSEC outage on August 31, 2017. dnssek.info provides what it calls the "DNSSEC EARLY WARNING SYSTEM (DEWS)" for expiring and expired TLD RRSIGs...

Timeline / DNSViz

2017-08-31 19:53:25 UTC — RRSIGs expire
2017-08-31 19:54:14 UTC — expired RRSIGs
2017-08-31 19:55:12 UTC — expired RRSIGs
2017-08-31 19:58:03 UTC — expired RRSIGs
2017-08-31 19:59:03 UTC — expired RRSIGs
2017-08-31 21:48:28 UTC — DS record removed from .info

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from August 31, 2017:

August 31, 2017 dnssek.info DNSSEC outage

Zonemaster

zonemaster.net archived "Delegation from parent to child is not properly signed (signature: DNSSEC signature has expired)."
zonemaster.net archived "Delegation from parent to child is not properly signed (signature: DNSSEC signature has expired)."

dnscheck

dnscheck.labs.nic.cz shows "Not enough valid signatures found for dnssek.info." (requires javascript).
dnscheck.iis.se shows "Not enough valid signatures found for dnssek.info" (requires javascript).

Google Public DNS

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec a www.dnssek.info. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec a www.dnssek.info. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58404
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.dnssek.info. IN A

;; Query time: 102 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 31 19:54:52 UTC 2017
;; MSG SIZE rcvd: 44

You have to disable DNSSEC to make DNS queries work:

$ dig +cd a www.dnssek.info. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +cd a www.dnssek.info. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25708
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.dnssek.info. IN A

;; ANSWER SECTION:
www.dnssek.info. 3599 IN A 192.101.186.107

;; Query time: 217 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Aug 31 19:54:53 UTC 2017
;; MSG SIZE rcvd: 60

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: dnssek.info.
[B] dnssek.info. 3600 IN DNSKEY 257 3 8 ;{id = 532 (ksk), size = 2048b}
dnssek.info. 3600 IN DNSKEY 256 3 8 ;{id = 38286 (zsk), size = 2048b}
[B] Error verifying denial of existence for dnssek.info. type A: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

[1504209285] unbound[8495:0] info: validation failure <www.dnssek.info. A IN>: signature expired from 45.56.97.49 for key dnssek.info. while building chain of trust
[1504215233] unbound[8495:0] info: validation failure <www.dnssek.info. A IN>: signature expired from 106.187.89.79 for key dnssek.info. while building chain of trust