army.mil DNSSEC Outage: 2020-07-25 to 2020-07-27

Updated: July 28, 2020

Overview

This page gives some details on the army.mil DNSSEC outage from July 25 to July 27, 2020.

Timeline / DNSViz

• 2020-07-25 17:26:45 UTC — Bogus RRSIGs
• 2020-07-26 04:50:07 UTC — Bogus RRSIGs
• 2020-07-26 10:52:39 UTC — Bogus RRSIGs
• 2020-07-26 18:10:29 UTC — Bogus RRSIGs
• 2020-07-27 02:14:06 UTC — last personally observed DNSSEC failure

Since DNSViz has lots its archives multiple times, here are some 3rd party copies:

• archive.is
• archive.is

DNSSEC Debugger

Here's a screenshot of my web browser's output from July 25, 2020.

Zonemaster

• zonemaster.iis.se: Bogus DNSSEC
  • (archive.is copy)
• zonemaster.net: Bogus DNSSEC
  • (archive.is copy)

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

;; Domain: army.mil.
[B] army.mil. 137436 IN DNSKEY 256 3 8 ;{id = 23943 (zsk), size = 2048b}
army.mil. 137436 IN DNSKEY 256 3 8 ;{id = 38601 (zsk), size = 2048b}
army.mil. 137436 IN DNSKEY 257 3 8 ;{id = 30256 (ksk), size = 2048b}
[B] army.mil. 1372 IN A 147.241.58.6
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

• [1595678692] unbound[54217:0] info: validation failure <www.army.mil. A IN>: signature crypto failed from 130.114.200.6 for key army.mil. while building chain of trust
• [1595678869] unbound[54217:0] info: validation failure <army.mil. A IN>: signature crypto failed from 140.153.43.44 for key army.mil. while building chain of trust
• [1595734820] unbound[54217:0] info: validation failure <army.mil. A IN>: signature crypto failed from 192.82.113.7 for key army.mil. while building chain of trust
• [1595775388] unbound[54217:0] info: validation failure <army.mil. A IN>: signature crypto failed from 130.114.200.6 for key army.mil. while building chain of trust
• [1595794820] unbound[54217:0] info: validation failure <army.mil. A IN>: signature crypto failed from 192.82.113.7 for key army.mil. while building chain of trust
• [1595815882] unbound[54217:0] info: validation failure <www.army.mil. A IN>: signature crypto failed from 140.153.43.44 for key army.mil. while building chain of trust
• [1595816046] unbound[54217:0] info: validation failure <army.mil. A IN>: signature crypto failed from 192.82.113.7 for key army.mil. while building chain of trust