lb (Lebanon) DNSSEC Outage: 2020-11-02

Date: November 2, 2020

Overview

This page gives some details on the lb (Lebanon) DNSSEC outage on November 2, 2020.

Timeline / DNSViz

2020-11-02 00:13:18 UTC — No RRSIGs (copies: archive.is and archive.org)
2020-11-02 00:35:17 UTC — No RRSIGs (copies: archive.is and archive.org)
2020-11-02 02:50:11 UTC — last personally observed lb DNSSEC failure

Verisign's DNSSEC Debugger

Here's a screenshot I took on November 2, 2020, of the DNSSEC Debugger output:

lb (Lebanon) TLD DNSSEC outage 2020-11-02

Google DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

$ dig +dnssec ns lb. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec ns lb. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36853
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;lb. IN NS

;; Query time: 31 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Nov 02 00:13:45 UTC 2020
;; MSG SIZE rcvd: 31

You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns lb. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +cd ns lb. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59137
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;lb. IN NS

;; ANSWER SECTION:
lb. 14399 IN NS FORK.STH.DNSNODE.NET.
lb. 14399 IN NS RIP.PSG.COM.
lb. 14399 IN NS ZEINA.AUB.EDU.lb.

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Nov 02 00:13:45 UTC 2020
;; MSG SIZE rcvd: 118

Logfile examples

[1604275868] unbound[265:0] info: validation failure <lb. NS IN>: key for validation lb. is marked as invalid because of a previous validation failure <nic.gov.lb. NS IN>: no keys have a DS with algorithm RSASHA256 from 147.28.0.39 for key lb. while building chain of trust
[1604276033] unbound[265:0] info: validation failure <lb. NS IN>: no keys have a DS with algorithm RSASHA256 from 193.188.128.14 for key lb. while building chain of trust
[1604285411] unbound[265:0] info: validation failure <lb. NS IN>: no keys have a DS with algorithm RSASHA256 from 77.72.229.254 for key lb. while building chain of trust
[1604285544] unbound[265:0] info: validation failure <lb. NS IN>: key for validation lb. is marked as invalid because of a previous validation failure <mail.isoc.org.lb. A IN>: no keys have a DS with algorithm RSASHA256 from 77.72.229.254 for key lb. while building chain of trust