nohats.ca DNSSEC Outage: 2019-10-31

Date: October 31, 2019

Overview

This page gives some details on the nohats.ca DNSSEC outage on October 31, 2019. Related to this DNSSEC outage, I also saw DNSSEC failures for libreswan.org (see logfile examples below).

DNSViz / Timeline

DNSViz historical archives have been down for months at the time of this writing. DNSSEC makes its users completely give up.

• 2019-10-29 19:04:23 UTC — first personally observed DNSSEC failure for paola.nohats.ca
• 2019-10-30 02:46:29 UTC — first personally observed DNSSEC failure for www.nohats.ca
• 2019-10-30 21:42:15 UTC — first personally observed DNSSEC failure for ns0.nohats.ca
• 2019-10-30 22:24:51 UTC — first personally observed DNSSEC failure for tor.nohats.ca
• 2019-10-31 00:20:46 UTC — first personally observed DNSSEC failure for bofh.nohats.ca
• 2019-10-31 01:37:05 UTC — first personally observed DNSSEC failure for mx.nohats.ca
• 2019-10-31 04:51:14 UTC — first personally observed DNSSEC failure for pdc.nohats.ca
• 2019-10-31 09:56:08 UTC — first personally observed apex DNSSEC failure for nohats.ca
• 2019-10-31 14:18:17 UTC — last personally observed apex DNSSEC failure for nohats.ca

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here are screenshots of my web browser's output from October 31, 2019:

Zonemaster

Google DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec a nohats.ca. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec a nohats.ca. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29791
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;nohats.ca. IN A

;; Query time: 161 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 31 09:56:10 2019
;; MSG SIZE rcvd: 38

---

You have to disable DNSSEC to make DNS queries work:

$ dig +cd a nohats.ca. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd a nohats.ca. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10125
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nohats.ca. IN A

;; ANSWER SECTION:
nohats.ca. 21599 IN A 193.110.157.102

;; Query time: 87 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 31 09:56:10 2019
;; MSG SIZE rcvd: 43

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: nohats.ca.
[T] nohats.ca. 3600 IN DNSKEY 257 3 8 ;{id = 27545 (ksk), size = 2048b}
nohats.ca. 3600 IN DNSKEY 257 3 8 ;{id = 1321 (ksk), size = 2048b}
nohats.ca. 3600 IN DNSKEY 257 3 8 ;{id = 35434 (ksk), size = 2048b}
nohats.ca. 3600 IN DNSKEY 256 3 8 ;{id = 20373 (zsk), size = 2048b}
nohats.ca. 3600 IN DNSKEY 256 3 8 ;{id = 20164 (zsk), size = 2048b}
[B] nohats.ca. 86400 IN A 193.110.157.102
;; Error: DNSSEC signature has expired
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

• [1572375863] unbound[73855:0] info: validation failure <paola.nohats.ca. A IN>: signature expired from 149.56.110.74
• [1572403589] unbound[73855:0] info: validation failure <www.nohats.ca. A IN>: signature expired from 188.127.201.225
• [1572471735] unbound[73855:0] info: validation failure <ns0.nohats.ca. A IN>: signature expired from 149.56.110.74
• [1572474291] unbound[73855:0] info: validation failure <tor.nohats.ca. A IN>: signature expired from 149.56.110.74
• [1572481246] unbound[73855:0] info: validation failure <bofh.nohats.ca. A IN>: signature expired from 149.56.110.74
• [1572485825] unbound[73855:0] info: validation failure <mx.nohats.ca. A IN>: signature expired from 193.110.157.102
• [1572497474] unbound[73855:0] info: validation failure <pdc.nohats.ca. A IN>: signature expired from 193.110.157.102
• [1572515768] unbound[73855:0] info: validation failure <nohats.ca. A IN>: signature expired from 193.110.157.102
• [1572524912] unbound[185:0] info: validation failure <nohats.ca. A IN>: signature expired from 188.127.201.225
• [1572531497] unbound[73855:0] info: validation failure <nohats.ca. A IN>: signature expired from 149.56.110.74

• [1572481226] unbound[185:0] info: validation failure <www.libreswan.org. NS IN>: signature expired from 188.127.201.225 for <sfg24catf8qf47bkdjgsj9sual64dh64.libreswan.org. NSEC3 IN>
• [1572491402] unbound[185:0] info: validation failure <www.libreswan.org. NS IN>: signature expired from 193.110.157.102 for <sfg24catf8qf47bkdjgsj9sual64dh64.libreswan.org. NSEC3 IN>
• [1572501494] unbound[185:0] info: validation failure <www.libreswan.org. NS IN>: signature expired from 193.110.157.102 for <sfg24catf8qf47bkdjgsj9sual64dh64.libreswan.org. NSEC3 IN>
• [1572511773] unbound[185:0] info: validation failure <www.libreswan.org. NS IN>: signature expired from 188.127.201.225 for <sfg24catf8qf47bkdjgsj9sual64dh64.libreswan.org. NSEC3 IN>
• [1572522157] unbound[185:0] info: validation failure <www.libreswan.org. NS IN>: signature expired from 149.56.110.74 for <sfg24catf8qf47bkdjgsj9sual64dh64.libreswan.org. NSEC3 IN>