.xn--mgbx4cd0ab TLD DNSSEC Outage: 2018-11-04

Date: November 4, 2018

Overview

This page gives some details on the .xn--mgbx4cd0ab (Malaysia IDN) TLD DNSSEC outage on November 4, 2018.

Timeline / DNSViz

2018-11-04 10:24:38 UTC — bogus DNSSEC delegation
2018-11-04 10:25:15 UTC — original error mostly but temporarily fixed
2018-11-04 10:26:39 UTC — another bogus DNSSEC delegation, because why not
2018-11-04 10:31:03 UTC — another temporary fix
2018-11-04 10:35:19 UTC — DNSSEC down hard again; rollercoasters are fun!
...
2018-11-04 16:51:53 UTC — last personally observed DNSSEC failure

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from November 4, 2018:

November 4, 2018 .xn--mgbx4cd0ab TLD DNSSEC outage

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

;; Domain: xn--mgbx4cd0ab.
;; Signature ok but no chain to a trusted key or ds record
[S] xn--mgbx4cd0ab. 172800 IN DNSKEY 257 3 8 ;{id = 15654 (ksk), size = 2048b}
xn--mgbx4cd0ab. 172800 IN DNSKEY 257 3 8 ;{id = 35586 (ksk), size = 2048b}
xn--mgbx4cd0ab. 172800 IN DNSKEY 256 3 8 ;{id = 53258 (zsk), size = 1024b}
xn--mgbx4cd0ab. 172800 IN DNSKEY 256 3 8 ;{id = 55892 (zsk), size = 1024b}
xn--mgbx4cd0ab. 172800 IN DNSKEY 256 3 8 ;{id = 30788 (zsk), size = 1024b}
xn--mgbx4cd0ab. 172800 IN DNSKEY 385 3 8 ;{id = 46232, size = 2048b}
xn--mgbx4cd0ab. 172800 IN DNSKEY 257 3 8 ;{id = 29817 (ksk), size = 2048b}
[S] Existence denied: xn--mgbx4cd0ab. A
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

[1541329130] unbound[57510:0] info: validation failure <xn--mgbx4cd0ab. NS IN>: no keys have a DS with algorithm RSASHA256 from 194.0.1.30 for key xn--mgbx4cd0ab. while building chain of trust
[1541329788] unbound[57510:0] info: validation failure <xn--mgbx4cd0ab. NS IN>: no keys have a DS with algorithm RSASHA256 from 49.236.194.202 for key xn--mgbx4cd0ab. while building chain of trust
[1541338708] unbound[57510:0] info: validation failure <xn--mgbx4cd0ab. NS IN>: no keys have a DS with algorithm RSASHA256 from 137.189.6.21 for key xn--mgbx4cd0ab. while building chain of trust
[1541348792] unbound[57510:0] info: validation failure <xn--mgbx4cd0ab. NS IN>: no keys have a DS with algorithm RSASHA256 from 202.171.47.204 for key xn--mgbx4cd0ab. while building chain of trust
[1541350313] unbound[57510:0] info: validation failure <xn--mgbx4cd0ab. NS IN>: no keys have a DS with algorithm RSASHA256 from 192.134.0.49 for key xn--mgbx4cd0ab. while building chain of trust