libhydrogen.org DNSSEC Outage: 2020-12-07
Date: December 7, 2020
Overview
This page gives some details on the libhydrogen.org DNSSEC outage on December 7, 2020.
Timeline / DNSViz
- 2020-12-07 12:41:20 UTC — first personally observed libhydrogen.org DNSSEC failure
- 2020-12-07 12:44:11 UTC — Bogus DNSSEC delegation
- 2020-12-07 17:39:40 UTC — last personally observed libhydrogen.org DNSSEC failure
Verisign's DNSSEC Debugger
Verisign doesn't archive test results, to here's a screenshot I took of my web browser's output on February 19, 2017:
Google DNS: with and without DNSSEC
DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.
$ dig +dnssec a www.libhydrogen.org. @8.8.8.8
; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec a www.libhydrogen.org. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39336
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.libhydrogen.org. IN A
;; Query time: 299 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 07 12:46:43 UTC 2020
;; MSG SIZE rcvd: 48
You have to disable DNSSEC to make DNS queries work:
$ dig +cd a www.libhydrogen.org. @8.8.8.8
; <<>> DiG 9.10.3-P4-Debian <<>> +cd a www.libhydrogen.org. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45765
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.libhydrogen.org. IN A
;; ANSWER SECTION:
www.libhydrogen.org. 9999 IN A 37.59.238.213
;; Query time: 153 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Dec 07 12:46:43 UTC 2020
;; MSG SIZE rcvd: 64
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):
[T] libhydrogen.org. 86400 IN DS 17506 13 2 8b243a0a24f9842096369255649fcf3bd99bb38de0c20f1ec9922bb0d84e13dc
;; Domain: libhydrogen.org.
;; Signature ok but no chain to a trusted key or ds record
[S] libhydrogen.org. 86400 IN DNSKEY 256 3 13 ;{id = 47781 (zsk), size = 256b}
libhydrogen.org. 86400 IN DNSKEY 257 3 13 ;{id = 61671 (ksk), size = 256b}
[S] libhydrogen.org. 10000 IN A 37.59.238.213
;;[S] self sig OK; [B] bogus; [T] trusted
Logfile examples
- [1607344880] unbound[265:0] info: validation failure <libhydrogen.org. A IN>: no keys have a DS with algorithm ECDSAP256SHA256 from 37.59.238.213 for key libhydrogen.org. while building chain of trust
- [1607345198] unbound[265:0] info: validation failure <www.libhydrogen.org. A IN>: no keys have a DS with algorithm ECDSAP256SHA256 from 82.64.197.71 for key libhydrogen.org. while building chain of trust
- [1607362466] unbound[265:0] info: validation failure <libhydrogen.org. A IN>: no keys have a DS with algorithm ECDSAP256SHA256 from 82.64.197.71 for key libhydrogen.org. while building chain of trust
- [1607362780] unbound[265:0] info: validation failure <www.libhydrogen.org. A IN>: no keys have a DS with algorithm ECDSAP256SHA256 from 82.64.197.71 for key libhydrogen.org. while building chain of trust