.xn--wgbh1c TLD DNSSEC Outage: 2020-06-17 to 2020-06-25
Updated: June 27, 2020
Overview
This page gives some details on the .xn--wgbh1c (IDN TLD) DNSSEC outage from June 17 to June 25, 2020.
Timeline / DNSViz
- 2020-06-17 09:15:01 UTC — RRSIGs expire
- 2020-06-18 02:50:28 UTC — expired RRSIGs
- 2020-06-21 02:34:36 UTC — expired RRSIGs
- 2020-06-24 09:45:33 UTC — expired RRSIGs
- 2020-06-25 12:07:37 UTC — last personally observed .xn--wgbh1c DNSSEC failure
archive.org provideded this archived snapshot of the DNSSEC outage, in case DNSViz fails, which it regularly does. There is also an archive courtesy of archive.is.
DNSSEC Debugger
Here's a screenshot of my web browser's output from June 18, 2020:
Google DNS: with and without DNSSEC
DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.
$ dig +dnssec ns xn--wgbh1c. @8.8.8.8
; <<>> dig 9.10.8-P1 <<>> +dnssec ns xn--wgbh1c. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15612
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;xn--wgbh1c. IN NS
;; Query time: 395 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jun 17 10:17:39 UTC 2020
;; MSG SIZE rcvd: 39
You have to disable DNSSEC to make DNS queries work:
$ dig +cd ns xn--wgbh1c. @8.8.8.8
; <<>> dig 9.10.8-P1 <<>> +cd ns xn--wgbh1c. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21916
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;xn--wgbh1c. IN NS
;; ANSWER SECTION:
xn--wgbh1c. 3599 IN NS ns1.dotmasr.eg.
xn--wgbh1c. 3599 IN NS ns2.dotmasr.eg.
xn--wgbh1c. 3599 IN NS ns3.dotmasr.eg.
xn--wgbh1c. 3599 IN NS ns4.dotmasr.eg.
;; Query time: 220 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jun 17 10:17:40 UTC 2020
;; MSG SIZE rcvd: 121
Zonemaster
- zonemaster.net shows expired RRSIGs. This page is archived by archive.is.
- zonemaster.iis.se shows expired RRSIGs. This page is archived by archive.is.
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):
;; Domain: xn--wgbh1c.
[B] xn--wgbh1c. 3600 IN DNSKEY 256 3 8 ;{id = 62163 (zsk), size = 1024b}
xn--wgbh1c. 3600 IN DNSKEY 257 3 8 ;{id = 19912 (ksk), size = 2048b}
[B] Error verifying denial of existence for xn--wgbh1c. type A: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted
dns.google.com
dns.google.com is separate from Google Public DNS (8.8.8.8). During this DNSSEC outage, dns.google.com showed a DNSSEC failure for xn--wgbh1c.
Logfile examples
These Unbound log entries come from different Unbound instances, each on different servers in different geographical regions.
- [1592389055] unbound[35760:0] info: validation failure <xn--wgbh1c. NS IN>: signature expired from 81.21.97.155 for key xn--wgbh1c. while building chain of trust
- [1592393460] unbound[23281:0] info: validation failure <xn--wgbh1c. NS IN>: signature expired from 81.10.38.11 for key xn--wgbh1c. while building chain of trust
- [1593069022] unbound[23281:0] info: validation failure <xn--wgbh1c. NS IN>: signature expired from 81.21.99.11 for key xn--wgbh1c. while building chain of trust
- [1593086857] unbound[35760:0] info: validation failure <xn--wgbh1c. NS IN>: signature expired from 204.61.216.106 for key xn--wgbh1c. while building chain of trust