sakura TLD DNSSEC Outage: 2017-09-24

Date: September 24, 2017

Overview

This page gives some details on the sakura TLD DNSSEC outage on September 24, 2017.

Timeline / DNSViz

2017-09-24 19:00:58 UTC — Missing RRSIGs
2017-09-24 19:02:53 UTC — Missing RRSIGs
2017-09-24 19:05:29 UTC — Missing RRSIGs
2017-09-24 20:06:22 UTC — Missing RRSIGs
2017-09-24 20:37:26 UTC — DNSSEC outage over

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from September 24, 2017:

September 24, 2017 sakura TLD DNSSEC outage

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: sakura.
[T] sakura. 86400 IN DNSKEY 256 3 8 ;{id = 14661 (zsk), size = 1024b}
sakura. 86400 IN DNSKEY 257 3 8 ;{id = 14464 (ksk), size = 2048b}
sakura. 86400 IN DNSKEY 256 3 8 ;{id = 58026 (zsk), size = 1024b}
[B] Unable to verify denial of existence for sakura. type A
;;[S] self sig OK; [B] bogus; [T] trusted

dnscheck

Note: dnscheck requires javascript.

dnscheck.labs.nic.cz archived "Not enough valid signatures over SOA RRset found for sakura."
dnscheck.iis.se archived "Not enough valid signatures over SOA RRset found for sakura."

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec whois.nic.sakura. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec whois.nic.sakura. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52388
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;whois.nic.sakura. IN A

;; Query time: 537 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 24 19:22:47 2017
;; MSG SIZE rcvd: 45

You have to disable DNSSEC to make DNS queries work:

$ dig +cd whois.nic.sakura @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd whois.nic.sakura @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40137
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;whois.nic.sakura. IN A

;; ANSWER SECTION:
whois.nic.sakura. 297 IN A 203.208.23.24

;; Query time: 2357 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 24 19:22:50 2017
;; MSG SIZE rcvd: 50

Logfile examples

[1506279913] unbound[37570:0] info: validation failure <sakura. NS IN>: no signatures from 65.22.40.137
[1506283425] unbound[37570:0] info: validation failure <whois.nic.sakura. A IN>: no signatures from 117.104.133.18 for DS nic.sakura. while building chain of trust
[1506284013] unbound[37570:0] info: validation failure <nic.sakura. MX IN>: no signatures from 103.47.2.3 for DS nic.sakura. while building chain of trust