.how TLD DNSSEC Outage: 2018-04-08

Updated: April 9, 2018

Overview

This page gives some details on the .how TLD DNSSEC outage on April 8, 2018.

Timeline / DNSViz

• 2018-04-08 17:35:30 UTC — expired RRSIGs
• 2018-04-08 17:35:57 UTC — expired RRSIGs
• 2018-04-08 17:36:49 UTC — expired RRSIGs
• 2018-04-08 17:37:10 UTC — expired RRSIGs
• 2018-04-08 17:44:23 UTC — expired RRSIGs
• 2018-04-08 19:05:54 UTC — last personally observed DNSSEC failure
• 2018-04-08 19:08:59 UTC — some expired RRSIGs

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from April 8, 2018:

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC. With DNSSEC, DNS queries result in SERVFAIL:

$ dig +dnssec ns how. @8.8.8.8 ; <<>> DiG 9.4.2-P2 <<>> +dnssec ns how. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51360
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;how. IN NS

;; Query time: 11 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 8 17:36:42 2018
;; MSG SIZE rcvd: 32

---

You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns how. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd ns how. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29152
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;how. IN NS

;; ANSWER SECTION:
how. 21599 IN NS ns-tld1.charlestonroadregistry.com.
how. 21599 IN NS ns-tld2.charlestonroadregistry.com.
how. 21599 IN NS ns-tld3.charlestonroadregistry.com.
how. 21599 IN NS ns-tld4.charlestonroadregistry.com.
how. 21599 IN NS ns-tld5.charlestonroadregistry.com.

;; Query time: 10 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 8 17:36:42 2018
;; MSG SIZE rcvd: 157

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

;; Domain: how.
[B] how. 86400 IN DNSKEY 256 3 8 ;{id = 61518 (zsk), size = 1024b}
how. 86400 IN DNSKEY 256 3 8 ;{id = 43569 (zsk), size = 1024b}
how. 86400 IN DNSKEY 257 3 8 ;{id = 58849 (ksk), size = 2048b}
how. 86400 IN DNSKEY 257 3 8 ;{id = 58609 (ksk), size = 2048b}
[B] Error verifying denial of existence for how. type A: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

• [1523208998] unbound[26322:0] info: validation failure <how. NS IN>: signature expired from 216.239.34.105 for key how. while building chain of trust
• [1523209456] unbound[26322:0] info: validation failure <how. NS IN>: signature expired from 216.239.32.105 for key how. while building chain of trust
• [1523214139] unbound[26322:0] info: validation failure <how. NS IN>: signature missing from 216.239.38.105 for key how. while building chain of trust
• [1523214354] unbound[26322:0] info: validation failure <how. NS IN>: signature missing from 216.239.36.105 for key how. while building chain of trust