nohats.ca DNSSEC Outage: 2020-01-04
Date: January 4, 2020
Overview
This page gives some details on the nohats.ca DNSSEC outage on January 4, 2020.
DNSViz / Timeline
DNSViz historical archives have been down for about a year at the time of this writing. DNSSEC makes its users completely give up.
- 2020-01-04 10:02:48 UTC — first personally observed nohats.ca DNSSEC failure
- 2020-01-04 18:15:19 UTC — last personally observed nohats.ca DNSSEC failure
Here's a screenshot of DNSViz output during the nohats.ca DNSSEC outage:
This data was also saved by archive.is.
DNSSEC Debugger
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from January 4, 2020:
Zonemaster
Please note: Zonemaster requires javascript to display text.
- zonemaster.net archived this DNSSEC outage. It was also saved by archive.is.
- zonemaster.labs.nic.cz also archived this nohats.ca DNSSEC outage. It was also saved by archive.is
Google DNS: with and without DNSSEC
DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.
With DNSSEC, DNS queries fail:
$ dig +dnssec a nohats.ca. @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> +dnssec a nohats.ca. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36473
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;nohats.ca. IN A
;; Query time: 311 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 4 10:07:55 2020
;; MSG SIZE rcvd: 38
You have to disable DNSSEC to make DNS queries work:
$ dig +cd a nohats.ca. @8.8.8.8
; <<>> DiG 9.4.2-P2 &;t;<>> +cd a nohats.ca. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56292
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;nohats.ca. IN A
;; ANSWER SECTION:
nohats.ca. 21599 IN A 193.110.157.102
;; Query time: 85 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 4 10:07:55 2020
;; MSG SIZE rcvd: 43
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):
[T] nohats.ca. 86400 IN DS 1321 8 2 b7890a1e7b4ce1d671795d5fd46a71f229c58025587bec4eeb70ccda9233011c
;; Domain: nohats.ca.
;; Signature ok but no chain to a trusted key or ds record
[S] nohats.ca. 3600 IN DNSKEY 256 3 8 ;{id = 56754 (zsk), size = 2048b}
nohats.ca. 3600 IN DNSKEY 257 3 8 ;{id = 35434 (ksk), size = 2048b}
[S] nohats.ca. 86400 IN A 193.110.157.102
;;[S] self sig OK; [B] bogus; [T] trusted
dns.google.com
dns.google.com is related to but separate from Google Public DNS. During this DNSSEC outage, dns.google.com showed the following for nohats.ca:
Logfile examples
- [1578132168] unbound[98382:0] info: validation failure <bofh.nohats.ca. A IN>: no keys have a DS with algorithm RSASHA256 from 193.110.157.102 for key nohats.ca. while building chain of trust
- 578138631] unbound[98382:0] info: validation failure <www.nohats.ca. A IN<: no keys have a DS with algorithm RSASHA256 from 149.56.110.74 for key nohats.ca. while building chain of trust
- [1578161529] unbound[98382:0] info: validation failure <ns0.nohats.ca. A IN<: no keys have a DS with algorithm RSASHA256 from 193.110.157.102 for key nohats.ca. while building chain of trust
- [1578161554] unbound[98382:0] info: validation failure <ns1.nohats.ca. A IN<: key for validation nohats.ca. is marked as invalid because of a previous validation failure <ns0.nohats.ca. A IN<: no keys have a DS with algorithm RSASHA256 from 193.110.157.102 for key nohats.ca. while building chain of trust
- [1578161578] unbound[98382:0] info: validation failure <ns2.nohats.ca. A IN<: key for validation nohats.ca. is marked as invalid because of a previous validation failure <ns0.nohats.ca. A IN<: no keys have a DS with algorithm RSASHA256 from 193.110.157.102 for key nohats.ca. while building chain of trust
- [1578161591] unbound[98382:0] info: validation failure <nssec.nohats.ca. A IN<: no keys have a DS with algorithm RSASHA256 from 149.56.110.74 for key nohats.ca. while building chain of trust