www.openswan.com DNSSEC Outage: 2018-02-13

Updated: February 14, 2018

Overview

This page gives some details on the www.openswan.com DNSSEC outage on February 13, 2018.

Timeline / DNSViz

2018-02-13 15:47:08 UTC — RRSIG expired
2018-02-13 15:51:27 UTC — RRSIG expired
2018-02-13 21:32:57 UTC — last personally observed DNSSEC failure

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from February 13, 2018:

February 13, 2018 www.openswan.com DNSSEC outage

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec a www.openswan.com. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec a www.openswan.com. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59850
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.openswan.com. IN A

;; Query time: 610 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 13 15:48:21 2018
;; MSG SIZE rcvd: 45

You have to disable DNSSEC to make DNS queries work:

$ dig +cd a www.openswan.com. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd a www.openswan.com. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17041
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.openswan.com. IN A

;; ANSWER SECTION:
www.openswan.com. 7199 IN CNAME www.openswan.org.
www.openswan.org. 21599 IN A 173.230.133.71

;; Query time: 135 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Feb 13 15:48:21 2018
;; MSG SIZE rcvd: 80

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

;; Domain: openswan.com.
[T] openswan.com. 3600 IN DNSKEY 257 3 7 ;{id = 61961 (ksk), size = 2048b}
openswan.com. 3600 IN DNSKEY 256 3 7 ;{id = 28645 (zsk), size = 1024b}
openswan.com. 3600 IN DNSKEY 256 3 7 ;{id = 15241 (zsk), size = 1024b}
openswan.com. 3600 IN DNSKEY 256 3 7 ;{id = 33136 (zsk), size = 1024b}
[B] Unable to verify denial of existence for www.openswan.com. DS: RR not covered by the given NSEC RRs
;; No ds record for delegation
;; Domain: www.openswan.com.
;; No DNSKEY record found for www.openswan.com.
[U] No data found for: www.openswan.com. type A
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

[1518536899] unbound[24990:0] info: validation failure <www.openswan.com. A IN>: signature expired for CNAME from 162.159.27.72 and 162.159.25.129
[1518557577] unbound[24990:0] info: validation failure <www.openswan.com. A IN>: signature expired for CNAME from 162.159.24.39 and 162.159.24.39