temple.edu DNSSEC Outage: 2022-05-13

Date: May 13, 2022

Overview

This page gives some details on the temple.edu (Temple University) DNSSEC outage on May 13, 2022. Temple has around 40,000 students.

Timeline / DNSViz

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC. With DNSSEC, DNS queries result in SERVFAIL:

$ dig +dnssec a temple.edu. @8.8.8.8.

; <<>> dig 9.10.8-P1 <<>> +dnssec a temple.edu. @8.8.8.8.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59392
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;temple.edu. IN A

;; Query time: 4078 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri May 13 18:48:44 UTC 2022
;; MSG SIZE rcvd: 39

$ dig +cd a temple.edu. @8.8.8.8.

; <<>> dig 9.10.8-P1 <<>> +cd a temple.edu. @8.8.8.8.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5520
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;temple.edu. IN A

;; ANSWER SECTION:
temple.edu. 21600 IN A 155.247.166.60

;; Query time: 73 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri May 13 18:48:44 UTC 2022
;; MSG SIZE rcvd: 55

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

[T] temple.edu. 86400 IN DS 8746 8 2 12f3bbf84ac4117964c43b577cd81873033cb7412efc37525e6b55b28f2ef585
temple.edu. 86400 IN DS 59455 8 2 0c098853830e00402ce85431a677e0efba4bef656cadbe5c400e750743eaffd9
;; Domain: temple.edu.
[U] No data found for: temple.edu. type A
;;[S] self sig OK; [B] bogus; [T] trusted; [U] unsigned

Logfile examples