dnscrypt.pl DNSSEC Outage:
2017-09-05 to 2017-09-08
Updated: September 9, 2017
Overview
This page gives some details on the dnscrypt.pl DNSSEC outage from September 5 to September 8, 2017. This site has had multiple DNSSEC outages.
Timeline / DNSViz
- 2017-09-05 16:33:27 UTC — RRSIGs expire
- 2017-09-05 16:34:42 UTC — expired RRSIGs
- 2017-09-05 16:35:12 UTC — expired RRSIGs
- 2017-09-05 16:36:25 UTC — expired RRSIGs
- 2017-09-05 16:38:47 UTC — expired RRSIGs
- 2017-09-06 01:46:32 UTC — expired RRSIGs
- 2017-09-06 22:24:13 UTC — expired RRSIGs
- 2017-09-07 02:34:59 UTC — expired RRSIGs
- 2017-09-07 14:40:08 UTC — expired RRSIGs
- 2017-09-08 01:57:28 UTC — expired RRSIGs
- 2017-09-08 15:09:19 UTC — last personally observed DNSSEC failure
- 2017-09-09 01:33:33 UTC — DNSSEC outage over
DNSSEC Debugger
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from September 5, 2017:
Google Public DNS, with/without DNSSEC
With DNSSEC enabled, queries fail:
$ dig +dnssec a dnscrypt.pl. @8.8.8.8
; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec a dnscrypt.pl. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35734
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dnscrypt.pl. IN A
;; Query time: 335 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Sep 05 16:35:06 UTC 2017
;; MSG SIZE rcvd: 40
You have to disable DNSSEC to make DNS work:
$ dig +cd a dnscrypt.pl. @8.8.8.8
; <<>> DiG 9.10.3-P4-Debian <<>> +cd a dnscrypt.pl. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42938
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dnscrypt.pl. IN A
;; ANSWER SECTION:
dnscrypt.pl. 86399 IN A 178.62.233.48
;; Query time: 168 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Sep 05 16:35:07 UTC 2017
;; MSG SIZE rcvd: 56
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):
;; Domain: dnscrypt.pl.
[B] dnscrypt.pl. 86400 IN DNSKEY 256 3 5 ;{id = 1651 (zsk), size = 1024b}
dnscrypt.pl. 86400 IN DNSKEY 256 3 7 ;{id = 1802 (zsk), size = 1024b}
dnscrypt.pl. 86400 IN DNSKEY 257 3 5 ;{id = 65416 (ksk), size = 2048b}
dnscrypt.pl. 86400 IN DNSKEY 256 3 13 ;{id = 55894 (zsk), size = 256b}
dnscrypt.pl. 86400 IN DNSKEY 257 3 13 ;{id = 55059 (ksk), size = 256b}
dnscrypt.pl. 86400 IN DNSKEY 257 3 7 ;{id = 5991 (ksk), size = 2048b}
[B] dnscrypt.pl. 86400 IN A 178.62.233.48
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted
Logfile examples
- [1504637354] unbound[22057:0] info: validation failure <www.dnscrypt.pl. A IN>: signature expired from 79.98.145.34 for key dnscrypt.pl. while building chain of trust
- [1504637502] unbound[22057:0] info: validation failure <dnscrypt.pl. MX IN>: signature expired from 79.98.145.34 for key dnscrypt.pl. while building chain of trust
- [1504645029] unbound[41587:0] info: validation failure <dnscrypt.pl. A IN>: signature expired from 193.70.13.218 for key dnscrypt.pl. while building chain of trust
- [1504883359] unbound[32832:0] info: validation failure <www.dnscrypt.pl. A IN>: signature expired from 193.70.13.218 for key dnscrypt.pl. while building chain of trust