army.mil DNSSEC Outage: 2020-07-25 to 2020-07-27
Updated: July 28, 2020
Overview
This page gives some details on the army.mil DNSSEC outage from July 25 to July 27, 2020.
Timeline / DNSViz
- 2020-07-25 17:26:45 UTC — Bogus RRSIGs
- 2020-07-26 04:50:07 UTC — Bogus RRSIGs
- 2020-07-26 10:52:39 UTC — Bogus RRSIGs
- 2020-07-26 18:10:29 UTC — Bogus RRSIGs
- 2020-07-27 02:14:06 UTC — last personally observed DNSSEC failure
Since DNSViz has lots its archives multiple times, here are some 3rd party copies:
DNSSEC Debugger
Here's a screenshot of my web browser's output from July 25, 2020.
Zonemaster
- zonemaster.iis.se: Bogus DNSSEC
- zonemaster.net: Bogus DNSSEC
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):
;; Domain: army.mil.
[B] army.mil. 137436 IN DNSKEY 256 3 8 ;{id = 23943 (zsk), size = 2048b}
army.mil. 137436 IN DNSKEY 256 3 8 ;{id = 38601 (zsk), size = 2048b}
army.mil. 137436 IN DNSKEY 257 3 8 ;{id = 30256 (ksk), size = 2048b}
[B] army.mil. 1372 IN A 147.241.58.6
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted
Logfile examples
- [1595678692] unbound[54217:0] info: validation failure <www.army.mil. A IN>: signature crypto failed from 130.114.200.6 for key army.mil. while building chain of trust
- [1595678869] unbound[54217:0] info: validation failure <army.mil. A IN>: signature crypto failed from 140.153.43.44 for key army.mil. while building chain of trust
- [1595734820] unbound[54217:0] info: validation failure <army.mil. A IN>: signature crypto failed from 192.82.113.7 for key army.mil. while building chain of trust
- [1595775388] unbound[54217:0] info: validation failure <army.mil. A IN>: signature crypto failed from 130.114.200.6 for key army.mil. while building chain of trust
- [1595794820] unbound[54217:0] info: validation failure <army.mil. A IN>: signature crypto failed from 192.82.113.7 for key army.mil. while building chain of trust
- [1595815882] unbound[54217:0] info: validation failure <www.army.mil. A IN>: signature crypto failed from 140.153.43.44 for key army.mil. while building chain of trust
- [1595816046] unbound[54217:0] info: validation failure <army.mil. A IN>: signature crypto failed from 192.82.113.7 for key army.mil. while building chain of trust