.ss TLD DNSSEC Outage: 2019-10-01 to 2019-10-05

Date: October 5, 2019

Overview

This page gives some details on the .ss (South Sudan) TLD DNSSEC outage from October 1 to October 5, 2019.

Timeline / DNSViz

(At the time of this writing, DNSViz historical archives have been down for months. DNSSEC makes its users think downtime doesn't matter.)

2019-10-01 20:26:39 UTC — first personally witnessed <ss. NS IN> DNSSEC failure
2019-10-05 11:35:36 UTC — last personally witnessed <ss. NS IN> DNSSEC failure

Since DNSViz no longer saves DNSSEC outage info, there is an archive at archive.is.

DNSSEC Debugger

Here's a screenshot of my web browser's output from October 1, 2019:

October 1, 2019 .ss (South Sudan) TLD DNSSEC outage

There is a copy of DNSSEC Debugger output saved by archive.is.

Google DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

$ dig +dnssec ns ss. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec ns ss. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1922
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ss. IN NS

;; Query time: 510 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Oct 1 20:24:55 2019
;; MSG SIZE rcvd: 31

You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns ss. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd ns ss. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35022
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ss. IN NS

;; ANSWER SECTION:
ss. 21599 IN NS ssnic.anycastdns.cz.
ss. 21599 IN NS root.ssnic.gov.ss.
ss. 21599 IN NS b.ns.tznic.or.tz.

;; Query time: 339 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Oct 1 20:24:55 2019
;; MSG SIZE rcvd: 112

Zonemaster

This .ss DNSSEC outage was archived by zonemaster.iis.se
It was also archived by zonemaster.net

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: ss.
[B] ss. 3600 IN DNSKEY 256 3 8 ;{id = 13561 (zsk), size = 2048b}
ss. 3600 IN DNSKEY 257 3 8 ;{id = 43817 (ksk), size = 2048b}
ss. 3600 IN DNSKEY 256 3 8 ;{id = 27705 (zsk), size = 2048b}
[B] Error verifying denial of existence for ss. type A: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

These Unbound log entries come from different Unbound instances, each on different servers in different geographical regions.

[1569961492] unbound[95122:0] info: validation failure <ss. NS IN>: signature expired from 185.28.194.194 for key ss. while building chain of trust
[1569961823] unbound[185:0] info: validation failure <ss. NS IN>: signature expired from 185.38.108.108 for key ss. while building chain of trust
[1570121876] unbound[185:0] info: validation failure <ss. NS IN>: signature expired from 196.216.162.70 for key ss. while building chain of trust
[1570275336] unbound[64424:0] info: validation failure <ss. NS IN>: signature expired from 185.28.194.194 for key ss. while building chain of trust