dnsops.gov DNSSEC Outage:
2018-06-05 to 2018-06-12
Updated: June 13, 2018
Overview
This page gives some details on the dnsops.gov DNSSEC outage from June 5 to June 12, 2018.
Timeline / DNSViz
- 2018-06-05 03:00:33 UTC — RRSIGs expire
- 2018-06-05 03:05:09 UTC — expired RRSIGs
- 2018-06-05 13:45:11 UTC — expired RRSIGs
- 2018-06-06 17:48:27 UTC — expired RRSIGs
- 2018-06-07 01:38:23 UTC — expired RRSIGs
- 2018-06-08 03:56:31 UTC — expired RRSIGs
- 2018-06-09 03:43:05 UTC — expired RRSIGs
- 2018-06-10 15:07:57 UTC — expired RRSIGs
- 2018-06-12 03:55:59 UTC — expired RRSIGs
- 2018-06-12 14:29:52 UTC — last personally observed DNSSEC failure
DNSSEC Debugger
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from June 5, 2018.
dnscheck
Note: Javascript is required to use dnscheck. Also note that the nic.cz site barely works.
- zonemaster.labs.nic.cz shows expired RRSIGs
Zonemaster
- zonemaster.net archived "Delegation from parent to child is not properly signed (no_dnskey; signature: DNSSEC signature has expired)."
- zonemaster.fr archived "Delegation from parent to child is not properly signed (no_dnskey; signature: DNSSEC signature has expired)."
Google Public DNS: with and without DNSSEC
DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC. With DNSSEC, DNS queries result in SERVFAIL:
$ dig +dnssec a dnsops.gov. @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> +dnssec a dnsops.gov. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8364
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dnsops.gov. IN A
;; Query time: 162 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jun 5 03:05:54 2018
;; MSG SIZE rcvd: 39
You have to disable DNSSEC to make DNS queries work:
$ dig +cd a dnsops.gov. @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> +cd a dnsops.gov. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14568
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;dnsops.gov. IN A
;; ANSWER SECTION:
dnsops.gov. 3599 IN A 129.6.100.203
;; Query time: 1081 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jun 5 03:05:55 2018
;; MSG SIZE rcvd: 44
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):
;; Domain: dnsops.gov.
[B] dnsops.gov. 3600 IN DNSKEY 257 3 8 ;{id = 32917 (ksk), size = 2048b}
dnsops.gov. 3600 IN DNSKEY 257 3 8 ;{id = 31580 (ksk), size = 2048b}
dnsops.gov. 3600 IN DNSKEY 256 3 8 ;{id = 32229 (zsk), size = 1024b}
dnsops.gov. 3600 IN DNSKEY 256 3 8 ;{id = 65160 (zsk), size = 1024b}
[B] dnsops.gov. 3600 IN A 129.6.100.203
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted
Logfile examples
- [1528172578] unbound[48963:0] info: validation failure <rollready.dnsops.gov. A IN>: no keys have a DS with algorithm RSASHA256 from 129.6.100.203 for key dnsops.gov. while building chain of trust
- [1528172802] unbound[48963:0] info: validation failure <dane-test.had.dnsops.gov. A IN>: no keys have a DS with algorithm RSASHA256 from 129.6.100.203 for key dnsops.gov. while building chain of trust
- [1528173645] unbound[48963:0] info: validation failure <dnsops.gov. MX IN>: no keys have a DS with algorithm RSASHA256 from 129.6.100.203 for key dnsops.gov. while building chain of trust
- [1528213625] unbound[48963:0] info: validation failure <www.dnsops.gov. A IN>: no keys have a DS with algorithm RSASHA256 from 129.6.100.203 for key dnsops.gov. while building chain of trust
- [1528813792] unbound[48963:0] info: validation failure <dnsops.gov. A IN>: no keys have a DS with algorithm RSASHA256 from 129.6.100.203 for key dnsops.gov. while building chain of trust