parler.com DNSSEC Outage: 2021-04-17 to 2021-04-18

Date: April 17, 2021

Overview

This page gives some details on the parler.com DNSSEC outage from April 17 to April 18, 2021. This DNSSEC outage lasted a day and a half. Haha!

Timeline / DNSViz

• 2021-04-17 07:44:13 UTC — RRSIGs expire
• 2021-04-18 04:12:52 UTC — Expired RRSIGs
• 2021-04-18 05:03:46 UTC — Expired RRSIGs
• 2021-04-18 13:26:58 UTC — Expired RRSIGs
• 2021-04-18 14:37:21 UTC — Expired RRSIGs
• 2021-04-18 17:18:04 UTC — Expired RRSIGs
• 2021-04-18 19:28:16 UTC — Expired RRSIGs
• 2021-04-18 21:21:06 UTC — Expired RRSIGs
• 2021-04-18 21:36:51 UTC — DNSSEC outage over

Here is a mirror which shows the outage in DNSViz, courtesy of archive.is.

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from April 18, 2021:

Zonemaster

• zonemaster.net archived expired RRSIG errors. (archive.is copy)
• zonemaster.labs.nic.cz archived expired RRSIG errors. (archive.is copy)
• zonemaster.iis.se archived expired RRSIG errors (archive.is copy)

dns.google.com

dns.google.com saw this outage. See the historical view courtesy of archive.is. Here's a screenshot:

Twitter

This DNSSEC outage was discussed on Twitter. Kenn White wrote: "Gift that keeps on giving: the network team at Parler didn't implement DNSSEC properly, and have effectively DOS'd themselves." (archive.is copy)

And Barry Dorrans wrote: "Dnssec proves its worth" (archive.is copy)

Please note that Jason Livingood's tweet contains some common DNSSEC misinformation: "...whoever manages Parler's DNS let their encryption key expire..." (archive.is copy) In pro-DNSSEC circles it's extremely common to make the false claim or implication that DNSSEC is encrypted. DNSSEC is not encrypted! DNSSEC signs resource records. It doesn't encrypt them. So Parler's "encryption key" doesn't exist. Parler's DNSSEC signing key expired.