.ru TLD DNSSEC Outage: 2019-08-16

Date: August 16, 2019

Overview

This page gives some details on the .ru (Russia) TLD DNSSEC outage on August 16, 2019.

Timeline / DNSViz

(At the time of this writing, DNSViz historical archives have been down for months. DNSSEC makes its users think downtime doesn't matter.)

Google DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

$ dig +dnssec ns ru. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec ns ru. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6706
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ru. IN NS

;; Query time: 66 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 16 15:38:27 UTC 2019
;; MSG SIZE rcvd: 31

You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns ru. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +cd ns ru. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16082
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ru. IN NS

;; ANSWER SECTION:
ru. 21599 IN NS a.dns.ripn.net.
ru. 21599 IN NS b.dns.ripn.net.
ru. 21599 IN NS d.dns.ripn.net.
ru. 21599 IN NS e.dns.ripn.net.
ru. 21599 IN NS f.dns.ripn.net.

;; Query time: 188 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 16 15:38:27 UTC 2019
;; MSG SIZE rcvd: 123

Logfile examples

These Unbound log entries come from different Unbound instances, each on different servers in different geographical regions.