internetsociety.org DNSSEC Outage: 2020-11-03

Date: November 3, 2020

Overview

This page gives some details on the internetsociety.org DNSSEC outage on November 3, 2020. The Internet Society is one of the biggest supporters of DNSSEC and this is not the first DNSSEC outage or even the second DNSSEC outage for Internet Society. Their DNS service is by CloudFlare.

Timeline / DNSViz

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, to here's a screenshot I took of my web browser's output on February 19, 2017:

internetsociety.org DNSSEC outage: November 3, 2020

Google DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

$ dig +dnssec mx internetsociety.org. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec mx internetsociety.org. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29274
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;internetsociety.org. IN MX

;; Query time: 3 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Nov 03 20:16:17 UTC 2020
;; MSG SIZE rcvd: 48

You have to disable DNSSEC to make DNS queries work:

$ dig +cd mx internetsociety.org. @8.8.8.8

; <<>> DiG 9.10.3-P4-Debian <<>> +cd mx internetsociety.org. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64654
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;internetsociety.org. IN MX

;; ANSWER SECTION:
internetsociety.org. 299 IN MX 0 internetsociety-org.mail.protection.outlook.com.

;; Query time: 3 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Nov 03 20:16:17 UTC 2020
;; MSG SIZE rcvd: 111

Logfile examples