Namecheap customer DNS DNSSEC Outage:
February 21, 2019

Date: February 21, 2019

Overview

This page gives some details on the Namecheap customer DNS DNSSEC outage that occurred on or around February 21, 2019.

Post-mortem

Hah! There isn't one, and Namecheap didn't even mention this outage on their status.namecheap.com website. It was only discussed on Twitter by angry customers.

Twitter

Below you'll find linked quotes and screenshots in case any tweets are deleted.

2019-02-21: @zmarty writes: "Reply from support: "We experienced temporary issue with DNSSEC service that is already fixed... Thank you for your feedback regarding the notification on our Status Page." @Namecheap, is there an actual post mortem planned? Why is this STILL not posted on status page?

Namecheap DNSSEC

2019-02-21: @Foritus writes: "@Namecheap hello! Did you have a DNSSEC outage last night/earlier today? My .com and .net domains were failing to resolve during your maintenance window due to DNSSEC failures. Maybe your backup machine has an old key on it?"

Namecheap DNSSEC

2019-02-23: @tqbf writes: "One fun thing DNSSEC does give you, as a consolation prize for not providing any security: RANDOM OUTAGES. https://news.ycombinator.com/item?id=19227618...

(if you had DNSSEC enabled at Namecheap you fell off the Internet yesterday)"

Namecheap DNSSEC

Hacker News

This DNSSEC outage was briefly discussed in the Hacker News thread Namecheap Has DNSSEC Outage, No Disclosure on Status Page, Refuses Post-Mortem.

DNSViz / Zonemaster

DNSViz was (and still is, at the time of this writing) having a non-DNSSEC related outage. A notice on the site states "DNSViz will be without the historical functions of the tool for a little over a week while its hardware is in transit between Verisign and DNS-OARC. The historical functions will be brought back online during the week of February 11th." So the historical functions should have returned a week ago. I contend that DNSSEC makes its proponents numb to outages, and that this lack of seriousness creeps into other aspects of their tech stacks.

That said, the Twitter users @zmarty and @Foritus noted above have the domains ovidiudan.com and aornis.com, respectively, in their Twitter bios. Whois currently shows both domains registered through Namecheap. And at the time of this writing, DNSViz shows ovidiudan.com to have disabled DNSSEC by removing the DS record (keeping the RRSIGs). So apparently @zmarty disabled DNSSEC to maintain DNS availability.

Since DNSViz is essentially having a multi-week outage, here's a 3rd party citation of the above claim courtesy of zonemaster.iis.se. It shows RRSIGs but no DS record.

Additionally, zonemaster.labs.nic.cz shows a missing DS record.

Please note that missing DS records don't cause outages — they fix them! I'm only showing that one of the people claiming an outage appears to have disabled their own DNSSEC, which supports their claim of a DNSSEC outage.