.beauty TLD DNSSEC Outage: 2020-09-22
Date: September 22, 2020
Overview
This page gives some details on the .beauty TLD DNSSEC outage on September 22, 2020.
Timeline / DNSViz
- 2020-09-22 13:08:44 UTC — No RRSIGs (copy: archive.is)
- 2020-09-22 13:10:31 UTC — No RRSIGs (copy: archive.is)
- 2020-09-22 13:22:34 UTC — No RRSIGs (copy: archive.is)
- 2020-09-22 13:39:02 UTC — No RRSIGs (copy: archive.is)
- 2020-09-22 13:43:25 UTC — No RRSIGs (copy: archive.is)
- 2020-09-22 13:59:48 UTC — DNSSEC debris, but outage basically over
DNSSEC Debugger
Here's a screenshot of my web browser's output from September 22, 2020:
Google DNS: with and without DNSSEC
DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.
$ dig +dnssec ns beauty. @8.8.8.8
; <<>> dig 9.10.8-P1 <<>> +dnssec ns beauty. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35936
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;beauty. IN NS
;; Query time: 74 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Sep 22 13:10:25 UTC 2020
;; MSG SIZE rcvd: 35
You have to disable DNSSEC to make DNS queries work:
$ dig +cd ns beauty. @8.8.8.8
; <<>> dig 9.10.8-P1 <<>> +cd ns beauty. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8217
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;beauty. IN NS
;; ANSWER SECTION:
beauty. 21599 IN NS a.nic.beauty.
beauty. 21599 IN NS b.nic.beauty.
beauty. 21599 IN NS c.nic.beauty.
beauty. 21599 IN NS d.nic.beauty.
;; Query time: 66 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Sep 22 13:10:25 UTC 2020
;; MSG SIZE rcvd: 103
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):
beauty. 86400 IN DS 52406 8 2 c5c45b79dbe67a132237b020f4966fe32fbe61553487e38d47918561568e9957
;; Domain: beauty.
;; No DNSKEY record found for beauty.
[U] No data found for: beauty. type A
;;[S] self sig OK; [B] bogus; [T] trusted
Logfile examples
These Unbound log entries come from different Unbound instances, each on different servers in different geographical regions.
- [1600780081] unbound[8912:0] info: validation failure <nic.beauty. NS IN>: no DNSSEC records from 212.18.248.119 for DS nic.beauty. while building chain of trust
- [1600780139] unbound[8912:0] info: validation failure <beauty. NS IN>: no signatures from 212.18.249.119
- [1600780223] unbound[40925:0] info: validation failure <beauty. NS IN>: No DNSKEY record from 212.18.248.119 for key beauty. while building chain of trust
- [1600780860] unbound[8912:0] info: validation failure <beauty. NS IN>: No DNSKEY record from 185.24.64.119 for key beauty. while building chain of trust
- [1600782627] unbound[40925:0] info: validation failure <beauty. NS IN>: No DNSKEY record from 212.18.248.119 for key beauty. while building chain of trust
- [1600782893] unbound[40925:0] info: validation failure <beauty. NS IN>: no signatures from 194.169.218.119
- [1600783109] unbound[40925:0] info: validation failure <beauty. NS IN>: no signatures from 185.24.64.119