.mg TLD DNSSEC Outage: 2019-03-25

Date: March 25, 2019

Overview

This page gives some details on the .mg (Madagascar) TLD DNSSEC outage on March 25, 2019. This is at least the 22nd DNSSEC outage for Madagascar.

Timeline / DNSViz

• 2019-03-25 16:37:55 UTC — RRSIG inception date is is 4 minutes in the future
• 2019-03-25 16:42:17 UTC — RRSIGs become valid

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from March 25, 2019:

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: mg.
[B] mg. 3600 IN DNSKEY 257 3 5 ;{id = 59263 (ksk), size = 2048b}
mg. 3600 IN DNSKEY 256 3 5 ;{id = 4530 (zsk), size = 1024b}
mg. 3600 IN DNSKEY 257 3 5 ;{id = 64652 (ksk), size = 2048b}
[B] Error verifying denial of existence for mg. type A: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted

Google DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec a mg. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec a mg. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63655
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;mg. IN A

;; Query time: 337 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 25 16:37:43 2019
;; MSG SIZE rcvd: 31

---

You have to disable DNSSEC to make DNS queries work:

$ dig +cd a mg. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd a mg. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52903
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mg. IN A

;; AUTHORITY SECTION:
mg. 1799 IN SOA ns.nic.mg. ramboa.nic.mg. 2019032517 600 3600 604800 3600

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 25 16:37:43 2019
;; MSG SIZE rcvd: 70

Zonemaster

zonemaster.iis.se archived "The apex DNSKEY RRset was not correctly signed."

Logfile examples

• [1553531862] unbound[90528:0] info: validation failure <mg. NS IN>: signature before inception date from 196.192.32.2 for key mg. while building chain of trust
• [1553531988] unbound[22979:0] info: validation failure <mg. NS IN>: signature before inception date from 204.61.216.121 for key mg. while building chain of trust
• [1553532062] unbound[22979:0] info: validation failure <mg. NS IN>: signature before inception date from 196.192.42.153 for key mg. while building chain of trust
• [1553532104] unbound[90528:0] info: validation failure <mg. NS IN>: signature before inception date from 87.98.132.231 for key mg. while building chain of trust