parler.com DNSSEC Outage: 2021-04-17 to 2021-04-18
Date: April 17, 2021
This page gives some details on the parler.com DNSSEC outage from April 17 to April 18, 2021. This DNSSEC outage lasted a day and a half. Haha!
Timeline / DNSViz
- 2021-04-17 07:44:13 UTC — RRSIGs expire
- 2021-04-18 04:12:52 UTC — Expired RRSIGs
- 2021-04-18 05:03:46 UTC — Expired RRSIGs
- 2021-04-18 13:26:58 UTC — Expired RRSIGs
- 2021-04-18 14:37:21 UTC — Expired RRSIGs
- 2021-04-18 17:18:04 UTC — Expired RRSIGs
- 2021-04-18 19:28:16 UTC — Expired RRSIGs
- 2021-04-18 21:21:06 UTC — Expired RRSIGs
- 2021-04-18 21:36:51 UTC — DNSSEC outage over
Here is a mirror which shows the outage in DNSViz, courtesy of archive.is.
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from April 18, 2021:
- zonemaster.net archived expired RRSIG errors. (archive.is copy)
- zonemaster.labs.nic.cz archived expired RRSIG errors. (archive.is copy)
- zonemaster.iis.se archived expired RRSIG errors (archive.is copy)
dns.google.com saw this outage. See the historical view courtesy of archive.is. Here's a screenshot:
This DNSSEC outage was discussed on Twitter. Kenn White wrote: "Gift that keeps on giving: the network team at Parler didn't implement DNSSEC properly, and have effectively DOS'd themselves." (archive.is copy)
Please note that Jason Livingood's tweet contains some common DNSSEC misinformation: "...whoever manages Parler's DNS let their encryption key expire..." (archive.is copy) In pro-DNSSEC circles it's extremely common to make the false claim or implication that DNSSEC is encrypted. DNSSEC is not encrypted! DNSSEC signs resource records. It doesn't encrypt them. So Parler's "encryption key" doesn't exist. Parler's DNSSEC signing key expired.