opendnssec.org DNSSEC Outage:
2018-02-26 to 2018-02-27
Updated: February 27, 2018
Overview
This page gives some details on the opendnssec.org DNSSEC outage from February 26 to February 27, 2018. OpenDNSSEC is used by many people to sign their DNSSEC records, and this is not the first DNSSEC outage for the OpenDNSSEC maintainers. This particular DNSSEC outage affected www.opendnssec.org and issues.opendnssec.org.
Timeline / DNSViz
- 2018-02-26 17:42:15 UTC — issues.opendnssec.org/A RRSIG expires
- 2018-02-26 17:45:58 UTC — issues.opendnssec.org/A expired RRSIG
- 2018-02-27 05:29:19 UTC — issues.opendnssec.org/A expired RRSIG
- 2018-02-27 09:06:36 UTC — www.opendnssec.org/A expired RRSIG
- 2018-02-27 10:05:53 UTC — last personally observed DNSSEC failure
DNSSEC Debugger
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from February 26, 2018:
Google Public DNS: with and without DNSSEC
DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.
With DNSSEC, DNS queries fail:
$ dig +dnssec a issues.opendnssec.org. @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> +dnssec a issues.opendnssec.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16094
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;issues.opendnssec.org. IN A
;; Query time: 434 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 26 17:45:17 2018
;; MSG SIZE rcvd: 50
You have to disable DNSSEC to make DNS queries work:
$ dig +cd a issues.opendnssec.org. @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> +cd a issues.opendnssec.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4310
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;issues.opendnssec.org. IN A
;; ANSWER SECTION:
issues.opendnssec.org. 14399 IN A 145.100.190.50
;; Query time: 149 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 26 17:45:17 2018
;; MSG SIZE rcvd: 55
Logfile examples
- [1519667112] unbound[22378:0] info: validation failure <issues.opendnssec.org. A IN>: signature expired from 91.123.201.115
- [1519668185] unbound[22378:0] info: validation failure <issues.opendnssec.org. A IN>: signature expired from 192.36.115.53
- [1519669255] unbound[22378:0] info: validation failure <issues.opendnssec.org. A IN>: signature expired from 185.49.141.14
- [1519724449] unbound[22378:0] info: validation failure <www.opendnssec.org. A IN>: signature expired from 91.206.174.4