army.mil DNSSEC Outage: 2020-09-30
Updated: September 30, 2020
Overview
This page gives some details on the army.mil DNSSEC outage on September 30, 2020.
Timeline / DNSViz
- 2020-09-29 21:11:06 UTC — first personally observed www.army.mil DNSSEC failure
- 2020-09-30 00:09:00 UTC — Bogus DNSSEC
- 2020-09-30 00:18:28 UTC — first personally observed army.mil DNSSEC failure
- 2020-09-30 09:12:51 UTC — last personally observed army.mil DNSSEC failure
- 2020-09-30 10:21:04 UTC — last personally observed www.army.mil DNSSEC failure
Since DNSViz has lots its archives multiple times, here are some 3rd party copies:
And here's a screenshot, just in case:
DNSSEC Debugger
Here's a screenshot of my web browser's output from September 30, 2020:
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):
;; Domain: army.mil.
[B] army.mil. 92528 IN DNSKEY 257 3 8 ;{id = 30256 (ksk), size = 2048b}
army.mil. 92528 IN DNSKEY 256 3 8 ;{id = 49608 (zsk), size = 2048b}
army.mil. 92528 IN DNSKEY 256 3 8 ;{id = 61578 (zsk), size = 2048b}
[B] army.mil. 2301 IN A 147.241.58.6
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted
Logfile examples
These logs come from different servers in different geographical regions:
- [1601424530] unbound[8912:0] info: validation failure <army.mil. A IN>: signature crypto failed from 192.82.113.7 for key army.mil. while building chain of trust
- [1601457171] unbound[69311:0] info: validation failure <army.mil. A IN>: signature crypto failed from 192.82.113.7 for key army.mil. while building chain of trust
- [1601460439] unbound[69311:0] info: validation failure <www.army.mil. A IN>: signature crypto failed from 130.114.200.6 for key army.mil. while building chain of trust
- [1601461264] unbound[69311:0] info: validation failure <www.army.mil. A IN>: signature crypto failed from 140.153.43.44 for key army.mil. while building chain of trust