in-addr.arpa DNSSEC Outage: 2017-10-24

Date: October 24, 2017

Overview

This page gives some details on the in-addr.arpa DNSSEC outage on October 24, 2017.

Timeline / DNSViz

2017-10-24 20:45:54 UTC — first personally observed in-addr.arpa DNSSEC failure
2017-10-24 20:56:11 UTC — Bogus DNSSEC delegation
2017-10-24 21:31:44 UTC — last personally observed in-addr.arpa DNSSEC failure
2017-10-24 21:37:23 UTC — Outage debris

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from October 24, 2017:

October 24, 2017 in-addr.arpa DNSSEC outage

dnscheck

dnscheck.labs.nic.cz shows "The zone in-addr.arpa has published DS records, but none of them work." (requires javascript).
dnscheck.iis.se shows "The zone in-addr.arpa has published DS records, but none of them work." (requires javascript).

Zonemaster

zonemaster.net archived "Delegation from parent to child is not properly signed (no_dnskey; no_dnskey; no_dnskey)."
zonemaster.fr archived "Delegation from parent to child is not properly signed (no_dnskey; no_dnskey; no_dnskey)."

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

;; Domain: in-addr.arpa.
;; Signature ok but no chain to a trusted key or ds record
[S] in-addr.arpa. 3600 IN DNSKEY 256 3 8 ;{id = 31984 (zsk), size = 1024b}
in-addr.arpa. 3600 IN DNSKEY 257 3 8 ;{id = 27581 (ksk), size = 2048b}
[S] Existence denied: in-addr.arpa. A
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

[1508877954] unbound[18869:0] info: validation failure <in-addr.arpa. A IN>: key for validation in-addr.arpa. is marked as invalid because of a previous validation failure <197.in-addr.arpa. NS IN>: no keys have a DS with algorithm RSASHA256 from 196.216.169.10 for key in-addr.arpa. while building chain of trust
[1508878713] unbound[5644:0] info: validation failure <in-addr.arpa. A IN>: signatures from unknown keys from 199.212.0.73 for <in-addr.arpa. SOA IN>
[1508878880] unbound[31439:0] info: validation failure <in-addr.arpa. A IN>: key for validation in-addr.arpa. is marked as invalid because of a previous validation failure <94.in-addr.arpa. NS IN>: no keys have a DS with algorithm RSASHA256 from 199.253.183.183 for key in-addr.arpa. while building chain of trust
[1508880704] unbound[18869:0] info: validation failure <in-addr.arpa. A IN>: key for validation in-addr.arpa. is marked as invalid because of a previous validation failure <213.in-addr.arpa. NS IN>: no keys have a DS with algorithm RSASHA256 from 199.253.183.183 for key in-addr.arpa. while building chain of trust