www.nasa.gov DNSSEC Outage:
2017-11-20 to 2017-11-21

Updated: November 22, 2017

Overview

This page gives some details on the www.nasa.gov DNSSEC outage from November 20 to November 21, 2017. Note that nasa.gov redirects to www.nasa.gov, so DNSSEC users were prevented from seeing the nasa.gov website as well. NASA has had numerous DNSSEC outages.

Timeline / DNSViz

• 2017-11-20 21:34:10 UTC — No RRSIGs
• 2017-11-20 21:35:29 UTC — No RRSIGs
• 2017-11-20 21:35:47 UTC — No RRSIGs
• 2017-11-20 21:36:35 UTC — No RRSIGs
• 2017-11-20 23:39:24 UTC — No RRSIGs
• 2017-11-21 03:26:19 UTC — No RRSIGs
• 2017-11-21 05:04:29 UTC — No RRSIGs
• 2017-11-21 09:21:54 UTC — No RRSIGs
• 2017-11-21 11:22:06 UTC — No RRSIGs
• 2017-11-21 11:57:44 UTC — No RRSIGs
• 2017-11-21 13:27:05 UTC — No RRSIGs
• 2017-11-21 15:35:15 UTC — No RRSIGs
• 2017-11-21 15:43:57 UTC — No RRSIGs
• 2017-11-21 16:28:14 UTC — No RRSIGs
• 2017-11-21 16:48:47 UTC — No RRSIGs
• 2017-11-21 17:00:04 UTC — No RRSIGs
• 2017-11-21 18:05:46 UTC — No RRSIGs
• 2017-11-21 18:58:16 UTC — No RRSIGs
• 2017-11-21 19:51:05 UTC — No RRSIGs
• 2017-11-21 19:57:21 UTC — last personally observed DNSSEC failure
• 2017-11-21 20:07:11 UTC — DNSSEC outage over

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from November 20, 2017:

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec www.nasa.gov. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec www.nasa.gov. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32048
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.nasa.gov. IN A

;; Query time: 15 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Nov 20 22:43:52 2017
;; MSG SIZE rcvd: 41

---

You have to disable DNSSEC to make DNS queries work:

$ dig +cd www.nasa.gov. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd www.nasa.gov. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62469
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nasa.gov. IN A

;; ANSWER SECTION:
www.nasa.gov. 274 IN CNAME www.nasawestprime.com.
www.nasawestprime.com. 29 IN CNAME iznasa.hs.llnwd.net.
iznasa.hs.llnwd.net. 24 IN A 208.111.171.236

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Nov 20 22:43:52 2017
;; MSG SIZE rcvd: 114

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

;; Domain: nasa.gov.
;; No DNSKEY record found for nasa.gov.
;; No DS for www.nasa.gov.;; No ds record for delegation
;; Domain: www.nasa.gov.
;; No DNSKEY record found for www.nasa.gov.
[U] No data found for: www.nasa.gov. type A
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

• [1511213597] unbound[52556:0] info: validation failure <www.nasa.gov. A IN>: DS got unsigned CNAME answer from 69.28.143.13 and 205.251.193.107 and 198.116.4.185 for DS www.nasa.gov. while building chain of trust
• [1511234887] unbound[52556:0] info: validation failure <www.nasa.gov. A IN>: DS got unsigned CNAME answer from 69.28.143.12 and 205.251.193.107 and 198.116.4.181 for DS www.nasa.gov. while building chain of trust