comcast.net DNSSEC Outage: 2019-01-18

Date: January 18, 2019

Overview

This page gives some details on the comcast.net DNSSEC outage on January 18, 2019. Comcast is one of DNSSEC's biggest supporters and has had several DNSSEC outages.

Timeline / DNSViz

2019-01-18 17:41:47 UTC — RRSIGs expire
2019-01-18 17:44:44 UTC — expired RRSIGs
2019-01-18 17:48:10 UTC — expired RRSIGs
2019-01-18 17:51:07 UTC — expired RRSIGs
2019-01-18 18:15:24 UTC — last personally observed DNSSEC failure

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from January 18, 2019:

January 18, 2019 comcast.net DNSSEC outage

Zonemaster

Note: zonemaster requires javascript.

zonemaster.labs.nic.cz archived "RRSIG with keytag 26550 and covering type(s) DNSKEY has already expired (expiration is: 1547833307)."
zonemaster.net archived "RRSIG with keytag 26550 and covering type(s) DNSKEY has already expired (expiration is: 1547833307)."
zonemaster.fr archived "RRSIG with keytag 26550 and covering type(s) DNSKEY has already expired (expiration is: 1547833307)."

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: comcast.net.
[T] comcast.net. 3600 IN DNSKEY 256 3 5 ;{id = 26550 (zsk), size = 1024b}
comcast.net. 3600 IN DNSKEY 257 3 5 ;{id = 40909 (ksk), size = 2048b}
[B] comcast.net. 30 IN A 69.252.80.75
;; Error: DNSSEC signature has expired
;;[S] self sig OK; [B] bogus; [T] trusted

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec a comcast.net. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec a comcast.net. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;comcast.net. IN A

;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jan 18 17:50:57 2019
;; MSG SIZE rcvd: 40

You have to disable DNSSEC to make DNS queries work:

$ dig +cd a comcast.net. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd a comcast.net. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2152
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;comcast.net. IN A

;; ANSWER SECTION:
comcast.net. 29 IN A 69.252.80.75

;; Query time: 39 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jan 18 17:50:57 2019
;; MSG SIZE rcvd: 45

Logfile examples

[1547833554] unbound[56275:0] info: validation failure <www.comcast.net. A IN>: signature expired for CNAME from 184.28.50.94 and 95.100.168.65 and 68.87.72.244
[1547835324] unbound[56275:0] info: validation failure <comcast.net. A IN>: signature expired from 68.87.72.244