.unicom TLD DNSSEC Outage: 2019-10-06

Date: October 6, 2019

Overview

This page gives some details on the .unicom TLD DNSSEC outage on October 6, 2019.

Timeline / DNSViz

(At the time of this writing, DNSViz historical archives have been down for months. DNSSEC makes its users think downtime doesn't matter.)

2019-10-06 23:51:01 UTC — RRSIGs expire
2019-10-06 23:53:36 UTC — first personally witnessed <unicom. NS IN> DNSSEC failure
2019-10-07 00:21:12 UTC — last personally witnessed <unicom. NS IN> DNSSEC failure

DNSSEC Debugger

Here's a screenshot of my web browser's output from October 6, 2019:

October 6, 2019 .unicom TLD DNSSEC outage

Google DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

$ dig +dnssec ns unicom. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec ns unicom. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5436
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;unicom. IN NS

;; Query time: 250 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Oct 06 23:53:40 UTC 2019
;; MSG SIZE rcvd: 35

You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns unicom. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +cd ns unicom. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8809
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;unicom. IN NS

;; ANSWER SECTION:
unicom. 3599 IN NS c.zdnscloud.com.
unicom. 3599 IN NS f.zdnscloud.com.
unicom. 3599 IN NS b.zdnscloud.com.
unicom. 3599 IN NS d.zdnscloud.com.
unicom. 3599 IN NS i.zdnscloud.com.
unicom. 3599 IN NS g.zdnscloud.com.
unicom. 3599 IN NS j.zdnscloud.com.
unicom. 3599 IN NS a.zdnscloud.com.

;; Query time: 145 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Oct 06 23:53:40 UTC 2019
;; MSG SIZE rcvd: 176

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: unicom.
[B] unicom. 7200 IN DNSKEY 256 3 8 ;{id = 13050 (zsk), size = 1280b}
unicom. 7200 IN DNSKEY 257 3 8 ;{id = 38650 (ksk), size = 2048b}
unicom. 7200 IN DNSKEY 257 3 8 ;{id = 51527 (ksk), size = 2048b}
unicom. 7200 IN DNSKEY 256 3 8 ;{id = 48469 (zsk), size = 1024b}
[B] Error verifying denial of existence for unicom. type A: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

These Unbound log entries come from different Unbound instances, each on different servers in different geographical regions.

[1570406016] unbound[25587:0] info: validation failure <unicom. NS IN>: signature expired from 114.67.46.12 for key unicom. while building chain of trust
[1570407435] unbound[185:0] info: validation failure <unicom. NS IN>: signature expired from 203.99.24.1 for key unicom. while building chain of trust
[1570407483] unbound[25587:0] info: validation failure <unicom. NS IN>: signature expired from 203.99.27.1 for key unicom. while building chain of trust
[1570407672] unbound[25587:0] info: validation failure <unicom. NS IN>: signature expired from 203.99.26.1 for key unicom. while building chain of trust