time.nist.gov DNSSEC Outage: 2019-06-29

Date: June 29, 2019

Overview

This page gives some details on the time.nist.gov DNSSEC outage on June 29, 2019. It was not the first DNSSEC outage for time.nist.gov.

Timeline / DNSViz

DNSViz historical archives have been down for months at the time of this writing.

I contend that exposure to DNSSEC makes its users and advocates numb to outages, which creeps into and degrades their other work.

DNSSEC Debugger

Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from June 29, 2019:

June 29, 2019 time.nist.gov DNSSEC outage

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec a time.nist.gov. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec a time.nist.gov. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8179
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;time.nist.gov. IN A

;; Query time: 0 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jun 29 15:12:55 UTC 2019
;; MSG SIZE rcvd: 42

You have to disable DNSSEC to make DNS queries work:

$ dig +cd a time.nist.gov. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +cd a time.nist.gov. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4120
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;time.nist.gov. IN A

;; ANSWER SECTION:
time.nist.gov. 1599 IN CNAME ntp1.glb.nist.gov.
ntp1.glb.nist.gov. 9 IN A 132.163.97.3

;; Query time: 1 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jun 29 15:12:55 UTC 2019
;; MSG SIZE rcvd: 81

Logfile examples