.mg TLD DNSSEC Outage: 2019-05-28 to 2019-05-29

Date: May 29, 2019

Overview

This page gives some details on the .mg (Madagascar) TLD DNSSEC outage from May 28 to May 29, 2019. This is at least the 25th DNSSEC outage for Madagascar.

Timeline / DNSViz

(At the time of this writing, DNSViz historical archives have been down for over a month. DNSSEC makes its users think downtime doesn't matter.)

I've included a screenshot of DNSViz output since DNSSEC people don't care if things work or not.

dnsviz view of .mg dnssec outage

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from May 29, 2019:

May 29, 2019 .mg TLD DNSSEC outage

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: mg.
[B] mg. 3600 IN DNSKEY 257 3 5 ;{id = 64652 (ksk), size = 2048b}
mg. 3600 IN DNSKEY 256 3 5 ;{id = 4530 (zsk), size = 1024b}
mg. 3600 IN DNSKEY 256 3 5 ;{id = 36951 (zsk), size = 1024b}
mg. 3600 IN DNSKEY 257 3 5 ;{id = 59263 (ksk), size = 2048b}
[B] Error verifying denial of existence for mg. type A: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted

dns.google.com

dns.google.com is related to but separate from Google Public DNS. During this DNSSEC outage, dns.google.com showed the following for mg:

May 29, 2019 dns.google.com output for mg

This data is also archived by web.archive.org.

Zonemaster

zonemaster.iis.se archived "The apex DNSKEY RRset was not correctly signed" and other DNSSEC errors.

Google DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

$ dig +dnssec a mg. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec a mg. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62860
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;mg. IN A

;; Query time: 30 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 28 23:38:53 2019
;; MSG SIZE rcvd: 31

You have to disable DNSSEC to make DNS queries work:

$ dig +cd a mg. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd a mg. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60859
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mg. IN A

;; AUTHORITY SECTION:
mg. 1799 IN SOA ns.nic.mg. ramboa.nic.mg. 2019052825 600 3600 604800 3600

;; Query time: 30 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 28 23:38:53 2019
;; MSG SIZE rcvd: 70

Logfile examples

These Unbound log entries come from three different Unbound instances, each on different servers in different geographical regions.