irs.gov DNSSEC Outage: 2020-04-25

Date: April 25, 2020

Overview

This page gives some details on the irs.gov DNSSEC outage on April 25, 2020.

Timeline / DNSViz

• 2020-04-25 03:17:13 UTC — Bogus DNSSEC delegation
• 2020-04-25 04:44:08 UTC — last personally observed irs.gov DNSSEC failure

Since DNSViz has lots its archives multiple times, here are some 3rd party copies:

• archive.is
• archive.org
• archive.md

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from April 25, 2020:

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: irs.gov.
[B] irs.gov. 7200 IN DNSKEY 256 3 8 ;{id = 11886 (zsk), size = 2048b}
irs.gov. 7200 IN DNSKEY 256 3 8 ;{id = 44484 (zsk), size = 2048b}
irs.gov. 7200 IN DNSKEY 257 3 8 ;{id = 60439 (ksk), size = 2048b}
irs.gov. 7200 IN DNSKEY 257 3 8 ;{id = 44947 (ksk), size = 2048b}
[B] irs.gov. 600 IN A 152.216.7.110
irs.gov. 600 IN A 152.216.11.110
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

• [1587784831] unbound[50740:0] info: validation failure <irs.gov. A IN>: signature expired from 152.216.7.164 for key irs.gov. while building chain of trust
• [1587787404] unbound[50740:0] info: validation failure <irs.gov. A IN>: signature expired from 152.216.11.132 for key irs.gov. while building chain of trust
• [1587789848] unbound[50740:0] info: validation failure <irs.gov. A IN>: signature expired from 152.216.11.133 for key irs.gov. while building chain of trust