gsu.edu DNSSEC Outage:
2018-01-01 to 2018-01-02

Updated: January 3, 2018

Overview

This page gives some details on the gsu.edu (Georgia State University) DNSSEC outage from January 1 to January 2, 2018.

Timeline / DNSViz

• 2018-01-01 13:02:31 UTC — Bogus DNSSEC delegation
• 2018-01-01 13:10:43 UTC — Bogus DNSSEC delegation
• 2018-01-01 13:21:45 UTC — Bogus DNSSEC delegation
• 2018-01-01 16:51:57 UTC — Bogus DNSSEC delegation
• 2018-01-02 01:54:31 UTC — Bogus DNSSEC delegation
• 2018-01-02 14:06:07 UTC — Bogus DNSSEC delegation

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from January 1, 2018.

Zonemaster

• zonemaster.net archived "Delegation from parent to child is not properly signed no_dnskey."

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC. With DNSSEC, DNS queries result in SERVFAIL:

$ dig +dnssec mx gsu.edu. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec mx gsu.edu. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31102
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;gsu.edu. IN MX

;; Query time: 139 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 1 13:21:39 2018
;; MSG SIZE rcvd: 36

---

You have to disable DNSSEC to make DNS queries work:

$ dig +cd mx gsu.edu. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd mx gsu.edu. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63093
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;gsu.edu. IN MX

;; ANSWER SECTION:
gsu.edu. 3001 IN MX 10 gsu-edu.mail.eo.outlook.com.
gsu.edu. 3001 IN MX 0 gsu-edu.mail.protection.outlook.com.

;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 1 13:21:39 2018
;; MSG SIZE rcvd: 108

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

;; Domain: gsu.edu.
;; Signature ok but no chain to a trusted key or ds record
[S] gsu.edu. 3600 IN DNSKEY 257 3 5 ;{id = 53189 (ksk), size = 2048b}
gsu.edu. 3600 IN DNSKEY 256 3 5 ;{id = 15772 (zsk), size = 1024b}
[S] gsu.edu. 300 IN A 104.130.251.77
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

• [1514811720] unbound[43282:0] info: validation failure <tinman.cs.gsu.edu. A IN>: no keys have a DS with algorithm RSASHA1 from 131.144.4.10 for key gsu.edu. while building chain of trust
• [1514833449] unbound[43282:0] info: validation failure <gsu.edu. A IN>: no keys have a DS with algorithm RSASHA1 from 198.72.72.11 for key gsu.edu. while building chain of trust
• [1514834427] unbound[5333:0] info: validation failure <gsu.edu. MX IN>: no keys have a DS with algorithm RSASHA1 from 131.96.7.124 for key gsu.edu. while building chain of trust