opendnssec.org DNSSEC Outage:
2018-02-26 to 2018-02-27

Updated: February 27, 2018

Overview

This page gives some details on the opendnssec.org DNSSEC outage from February 26 to February 27, 2018. OpenDNSSEC is used by many people to sign their DNSSEC records, and this is not the first DNSSEC outage for the OpenDNSSEC maintainers. This particular DNSSEC outage affected www.opendnssec.org and issues.opendnssec.org.

Timeline / DNSViz

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from February 26, 2018:

issues.opendnssec.org DNSSEC outage, February 26, 2018

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec a issues.opendnssec.org. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec a issues.opendnssec.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16094
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;issues.opendnssec.org. IN A

;; Query time: 434 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 26 17:45:17 2018
;; MSG SIZE rcvd: 50

You have to disable DNSSEC to make DNS queries work:

$ dig +cd a issues.opendnssec.org. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd a issues.opendnssec.org. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4310
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;issues.opendnssec.org. IN A

;; ANSWER SECTION:
issues.opendnssec.org. 14399 IN A 145.100.190.50

;; Query time: 149 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 26 17:45:17 2018
;; MSG SIZE rcvd: 55

Logfile examples