unt.edu DNSSEC Outage: 2018-02-02
Updated: February 5, 2018
Overview
This page gives some details on the unt.edu (University of North Texas) DNSSEC outage on February 2, 2018. Some other affected domains included untdallas.edu, unthsc.edu, and untsystem.edu. UNT has around 38,000 students.
Timeline / DNSViz
- 2018-02-02 21:04:13 UTC — Bogus DNSSEC delegation
- 2018-02-03 16:28:22 UTC — unt.edu is unsigned
DNSSEC Debugger
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from February 2, 2018.
Zonemaster
- zonemaster.net archived "Delegation from parent to child is not properly signed (signature: Bogus DNSSEC signature; signature: Bogus DNSSEC signature)."
DNS-OARC: with and without DNSSEC
DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC. With DNSSEC, DNS queries result in SERVFAIL:
$ dig +dnssec mx unt.edu. @184.105.193.74
; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec mx unt.edu. @184.105.193.74
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16105
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;unt.edu. IN MX
;; Query time: 92 msec
;; SERVER: 184.105.193.74#53(184.105.193.74)
;; WHEN: Fri Feb 02 21:04:39 UTC 2018
;; MSG SIZE rcvd: 36
You have to disable DNSSEC to make DNS queries work:
$ dig +cd mx unt.edu. @184.105.193.74
; <<>> DiG 9.10.3-P4-Debian <<>> +cd mx unt.edu. @184.105.193.74
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32556
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;unt.edu. IN MX
;; ANSWER SECTION:
unt.edu. 28800 IN MX 0 unt-edu.mail.protection.outlook.com.
;; Query time: 13 msec
;; SERVER: 184.105.193.74#53(184.105.193.74)
;; WHEN: Fri Feb 02 21:04:39 UTC 2018
;; MSG SIZE rcvd: 87
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):
;; Domain: unt.edu.
[B] unt.edu. 302400 IN DNSKEY 257 3 7 ;{id = 64023 (ksk), size = 2048b}
unt.edu. 302400 IN DNSKEY 257 3 7 ;{id = 26343 (ksk), size = 2048b}
[B] unt.edu. 28800 IN A 129.120.231.230
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted
Logfile examples
- [1517605476] unbound[19575:0] info: validation failure <unt.edu. A IN>: signature crypto failed from 129.120.14.13 for key unt.edu. while building chain of trust
- [1517607699] unbound[19575:0] info: validation failure <untdallas.edu. A IN>: No DNSKEY record from 129.120.14.13 for key untdallas.edu. while building chain of trust
- [1517607711] unbound[19575:0] info: validation failure <unthsc.edu. A IN>: No DNSKEY record from 129.120.14.12 for key unthsc.edu. while building chain of trust
- [1517607722] unbound[19575:0] info: validation failure <untsystem.edu. A IN>: No DNSKEY record from 129.120.14.12 for key untsystem.edu. while building chain of trust