ad TLD DNSSEC Outage: 2019-01-13

Date: January 13, 2019

Overview

This page gives some details on the ad TLD (Andorra) DNSSEC outage on January 13, 2019. This is at least the 4th DNSSEC outage for Andorra.

Timeline / DNSViz

2019-01-13 12:10:31 UTC — RRSIGs expire
2019-01-13 12:13:06 UTC — expired RRSIGs
2019-01-13 12:14:06 UTC — expired RRSIGs
2019-01-13 12:14:29 UTC — expired RRSIGs
2019-01-13 17:03:17 UTC — expired RRSIGs
2019-01-13 17:12:47 UTC — last personally observed DNSSEC failure

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, so here's a screenshot I took of my web browser's output on January 13, 2019:

ad (Andorra) DNSSEC outage, January 13, 2019

Zonemaster

Note: zonemaster requires javascript.

zonemaster.net archived "The apex DNSKEY RRset was not correctly signed."

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC. With DNSSEC, DNS queries result in SERVFAIL:

$ dig +dnssec ns ad. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec ns ad. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41947
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ad. IN NS

;; Query time: 628 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jan 13 12:14:17 2019
;; MSG SIZE rcvd: 31

You have to disable DNSSEC to make DNS work:

$ dig +cd ns ad. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd ns ad. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22546
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ad. IN NS

;; ANSWER SECTION:
ad. 899 IN NS ns-ext.isc.org.
ad. 899 IN NS ad.ns.nic.es.
ad. 899 IN NS ad.cctld.authdns.ripe.net.
ad. 899 IN NS dnsc.ad.
ad. 899 IN NS ns3.nic.fr.
ad. 899 IN NS dnsm.ad.

;; Query time: 122 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jan 13 12:14:18 2019
;; MSG SIZE rcvd: 175

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

ad. 86400 IN DS 60892 8 2 90c3c642c6eb60eac3c982ed697339a8ee3f70aea644ac185bd9997790afabc4
;; Domain: ad.
;; No DNSKEY record found for ad.
[B] Error verifying denial of existence for ad. type A: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

[1547382039] unbound[74793:0] info: validation failure <ad. NS IN>: signature expired from 204.152.184.64 for key ad. while building chain of trust
[1547399567] unbound[74793:0] info: validation failure <ad. NS IN>: signature expired from 194.69.254.15 for key ad. while building chain of trust