house.gov DNSSEC Outage: 2019-05-21

Date: May 21, 2019

Overview

This page gives some details on the house.gov DNSSEC outage on May 21, 2019.

Timeline / DNSViz

DNSViz historical archives have been down for over a month at the time of this writing. DNSSEC makes its users completely give up.

I've included a screenshot of DNSViz output since DNSSEC people don't care if things work or not.

2019-05-21 03:50:24 UTC — first personally observed house.gov DNSSEC failure
2019-05-21 16:23:14 UTC — last personally observed house.gov DNSSEC failure

May 21, 2019 DNSViz output for house.gov

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from May 21, 2019:

Google DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec www.house.gov. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec www.house.gov. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30796
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.house.gov. IN A

;; Query time: 90 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 21 15:50:17 2019
;; MSG SIZE rcvd: 42

You have to disable DNSSEC to make DNS queries work:

$ dig +cd www.house.gov. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd www.house.gov. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33131
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.house.gov. IN A

;; ANSWER SECTION:
www.house.gov. 899 IN CNAME wwwcl.house.gov.
wwwcl.house.gov. 3599 IN CNAME wc.house.gov.edgekey.net.
wc.house.gov.edgekey.net. 21599 IN CNAME e4776.g.akamaiedge.net.
e4776.g.akamaiedge.net. 19 IN A 23.64.198.148

;; Query time: 246 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 21 15:50:17 2019
;; MSG SIZE rcvd: 138

Zonemaster

Note: Zonemaster requires javascript.

zonemaster.iis.se archived "No DS record had a DNSKEY with a matching keytag."
zonemaster.labs.nic.cz archived "No DS record had a DNSKEY with a matching keytag."

dns.google.com

dns.google.com is related to but separate from Google Public DNS. During this DNSSEC outage, dns.google.com showed the following for house.gov:

This data is also saved by archive.org.

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: house.gov.
;; Signature ok but no chain to a trusted key or ds record
[S] house.gov. 172800 IN DNSKEY 256 3 8 ;{id = 18990 (zsk), size = 1024b}
house.gov. 172800 IN DNSKEY 256 3 8 ;{id = 17559 (zsk), size = 1024b}
house.gov. 172800 IN DNSKEY 257 3 8 ;{id = 58060 (ksk), size = 2048b}
[S] house.gov. 3600 IN A 34.194.109.118
house.gov. 3600 IN A 35.168.94.129
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

[1558410624] unbound[51938:0] info: validation failure <www.house.gov. A IN>: no keys have a DS with algorithm RSASHA256 from 143.231.1.67 for key house.gov. while building chain of trust
[1558454200] unbound[51938:0] info: validation failure <house.gov. A IN>: no keys have a DS with algorithm RSASHA256 from 143.228.129.38 for key house.gov. while building chain of trust
[1558455794] unbound[51938:0] info: validation failure <house.gov. A IN>: no keys have a DS with algorithm RSASHA256 from 143.228.129.38 for key house.gov. while building chain of trust