.mg TLD DNSSEC Outage: 2019-05-20
Date: May 20, 2019
Overview
This page gives some details on the .mg (Madagascar) TLD DNSSEC outage on May 20, 2019. This is at least the 24th DNSSEC outage for Madagascar.
Timeline / DNSViz
(At the time of this writing, DNSViz historical archives have been down for several weeks. DNSSEC makes its users think downtime doesn't matter.)
I've included a screenshot of DNSViz output since DNSSEC people don't care if things work or not.
- 2019-05-20 03:11:06 UTC — first personally observed DNSSEC failure
- 2019-05-20 03:39:55 UTC — last personally observed DNSSEC failure
- 2019-05-20 03:42:25 UTC — RRSIGs become valid
DNSSEC Debugger
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from May 20, 2019:
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):
;; Domain: mg.
[B] mg. 3600 IN DNSKEY 257 3 5 ;{id = 59263 (ksk), size = 2048b}
mg. 3600 IN DNSKEY 256 3 5 ;{id = 4530 (zsk), size = 1024b}
mg. 3600 IN DNSKEY 257 3 5 ;{id = 64652 (ksk), size = 2048b}
[B] Error verifying denial of existence for mg. type A: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted
Zonemaster
zonemaster.iis.se archived "The apex DNSKEY RRset was not correctly signed" and other DNSSEC errors.
Google DNS: with and without DNSSEC
DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.
$ dig +dnssec ns mg. @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> +dnssec ns mg. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24742
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;mg. IN NS
;; Query time: 158 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon May 20 03:17:34 2019
;; MSG SIZE rcvd: 31
You have to disable DNSSEC to make DNS queries work:
$ dig +cd ns mg. @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> +cd ns mg. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4422
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;mg. IN NS
;; ANSWER SECTION:
mg. 7199 IN NS censvrns0001.ird.fr.
mg. 7199 IN NS pch.nic.mg.
mg. 7199 IN NS ns-mg.malagasy.com.
mg. 7199 IN NS ns.nic.mg.
mg. 7199 IN NS ns.dts.mg.
;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon May 20 03:17:34 2019
;; MSG SIZE rcvd: 145
Logfile examples
These Unbound log entries come from three different Unbound instances, each on different servers in different geographical regions.
- [1558321866] unbound[66225:0] info: validation failure <mg. NS IN>: signature before inception date from 87.98.132.231 for key mg. while building chain of trust
- [1558322252] unbound[14121:0] info: validation failure <mg. NS IN>: signature before inception date from 91.203.32.147 for key mg. while building chain of trust
- [1558323717] unbound[226:0] info: validation failure <mg. NS IN>: signature before inception date from 87.98.132.231 for key mg. while building chain of trust