irs.gov DNSSEC Outage: 2020-04-25
Date: April 25, 2020
Overview
This page gives some details on the irs.gov DNSSEC outage on April 25, 2020.
Timeline / DNSViz
- 2020-04-25 03:17:13 UTC — Bogus DNSSEC delegation
- 2020-04-25 04:44:08 UTC — last personally observed irs.gov DNSSEC failure
Since DNSViz has lots its archives multiple times, here are some 3rd party copies:
DNSSEC Debugger
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from April 25, 2020:
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):
;; Domain: irs.gov.
[B] irs.gov. 7200 IN DNSKEY 256 3 8 ;{id = 11886 (zsk), size = 2048b}
irs.gov. 7200 IN DNSKEY 256 3 8 ;{id = 44484 (zsk), size = 2048b}
irs.gov. 7200 IN DNSKEY 257 3 8 ;{id = 60439 (ksk), size = 2048b}
irs.gov. 7200 IN DNSKEY 257 3 8 ;{id = 44947 (ksk), size = 2048b}
[B] irs.gov. 600 IN A 152.216.7.110
irs.gov. 600 IN A 152.216.11.110
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted
Logfile examples
- [1587784831] unbound[50740:0] info: validation failure <irs.gov. A IN>: signature expired from 152.216.7.164 for key irs.gov. while building chain of trust
- [1587787404] unbound[50740:0] info: validation failure <irs.gov. A IN>: signature expired from 152.216.11.132 for key irs.gov. while building chain of trust
- [1587789848] unbound[50740:0] info: validation failure <irs.gov. A IN>: signature expired from 152.216.11.133 for key irs.gov. while building chain of trust