root-dnssec.org DNSSEC Outage: 2017-10-24

Date: October 24, 2017

Overview

This page gives some details on the root-dnssec.org DNSSEC outage of October 24, 2017.

Timeline / DNSViz

• 2017-10-24 20:29:55 UTC — first personally observed root-dnssec.org DNSSEC failure
• 2017-10-24 20:30:27 UTC — Bogus DNSSEC delegation
• 2017-10-24 20:30:46 UTC — Bogus DNSSEC delegation
• 2017-10-24 20:42:12 UTC — Bogus DNSSEC delegation
• 2017-10-24 20:44:01 UTC — Bogus DNSSEC delegation
• 2017-10-24 20:52:56 UTC — Bogus DNSSEC delegation
• 2017-10-24 21:56:56 UTC — last personally observed root-dnssec.org DNSSEC failure
• 2017-10-25 02:52:17 UTC — DNSSEC outage over

Verisign's DNSSEC Debugger

Since Verisign doesn't archive outages, here's a screenshot I took on October 24, 2017:

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec ns root-dnssec.org. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec ns root-dnssec.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56624
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;root-dnssec.org. IN NS

;; Query time: 68 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Oct 24 20:41:55 2017
;; MSG SIZE rcvd: 44

---

You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns root-dnssec.org. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd ns root-dnssec.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47824
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;root-dnssec.org. IN NS

;; ANSWER SECTION:
root-dnssec.org. 21599 IN NS a.iana-servers.net.
root-dnssec.org. 21599 IN NS b.iana-servers.net.
root-dnssec.org. 21599 IN NS c.iana-servers.net.
root-dnssec.org. 21599 IN NS ns.icann.org.

;; Query time: 34 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Oct 24 20:41:55 2017
;; MSG SIZE rcvd: 120

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

;; Domain: root-dnssec.org.
;; Signature ok but no chain to a trusted key or ds record
[S] root-dnssec.org. 3600 IN DNSKEY 256 3 8 ;{id = 16234 (zsk), size = 1024b}
root-dnssec.org. 3600 IN DNSKEY 257 3 8 ;{id = 56824 (ksk), size = 2048b}
[S] Existence denied: root-dnssec.org. A
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

• [1508876995] unbound[18869:0] info: validation failure <www.root-dnssec.org. A IN>: signatures from unknown keys for CNAME from 192.0.47.252 and 199.43.133.53
• [1508882216] unbound[18869:0] info: validation failure <root-dnssec.org. A IN>: no keys have a DS with algorithm RSASHA256 from 199.4.138.53 for key root-dnssec.org. while building chain of trust