dnssec-name-and-shame.com DNSSEC Outage: 2022-07-13 to 2022-07-14
Date: July 14, 2022
Overview
This page gives some details on the dnssec-name-and-shame.com DNSSEC outage from July 13 to July 14, 2022. This is not their first DNSSEC outage.
Timeline / DNSViz
- 2022-07-12 06:43:02 UTC — RRSIGs expire
- 2022-07-13 06:47:12 UTC — Expired RRSIGs
- 2022-07-13 06:50:01 UTC — Expired RRSIGs
- 2022-07-14 06:54:30 UTC — last personally observed dnssec-name-and-shame.com DNSSEC failure
DNSSEC Debugger
Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from July 13, 2022:
Google Public DNS: with and without DNSSEC
DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.
With DNSSEC, DNS queries fail:
$ dig +dnssec a dnssec-name-and-shame.com. @8.8.8.8.
; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> +dnssec a dnssec-name-and-shame.com. @8.8.8.8.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48495
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dnssec-name-and-shame.com. IN A
;; Query time: 2470 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 13 02:49:03 EDT 2022
;; MSG SIZE rcvd: 54
You have to disable DNSSEC to make DNS queries work:
$ dig +cd a dnssec-name-and-shame.com. @8.8.8.8.
; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> +cd a dnssec-name-and-shame.com. @8.8.8.8.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4311
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dnssec-name-and-shame.com. IN A
;; ANSWER SECTION:
dnssec-name-and-shame.com. 3600 IN A 138.68.125.175
;; Query time: 4144 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 13 02:49:07 EDT 2022
;; MSG SIZE rcvd: 70
drill trace
Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):
;; Domain: dnssec-name-and-shame.com.
[B] dnssec-name-and-shame.com. 3600 IN DNSKEY 257 3 13 ;{id = 62809 (ksk), size = 256b}
dnssec-name-and-shame.com. 3600 IN DNSKEY 257 3 13 ;{id = 55032 (ksk), size = 256b}
dnssec-name-and-shame.com. 3600 IN DNSKEY 256 3 13 ;{id = 41077 (zsk), size = 256b}
[B] dnssec-name-and-shame.com. 3600 IN A 138.68.125.175
;; Error: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted
Logfile examples
- [1657694745] unbound[467:0] info: validation failure <www.dnssec-name-and-shame.com. A IN>: signature expired from 185.49.141.53 for key dnssec-name-and-shame.com. while building chain of trust
- [1657694786] unbound[467:0] info: validation failure <dnssec-name-and-shame.com. A IN>: key for validation dnssec-name-and-shame.com. is marked as invalid because of a previous validation failure
[1657699220] unbound[467:0] info: validation failure <dnssec-name-and-shame.com. A IN>: signature expired from 185.49.141.53 for key dnssec-name-and-shame.com. while building chain of trust - [1657781614] unbound[467:0] info: validation failure <dnssec-name-and-shame.com. A IN>: signature expired from 216.218.131.2 for key dnssec-name-and-shame.com. while building chain of trust
- [1657781670] unbound[467:0] info: validation failure <www.dnssec-name-and-shame.com. A IN>: key for validation dnssec-name-and-shame.com. is marked as invalid because of a previous validation failure <dnssec-name-and-shame.com. A IN>: signature expired from 216.218.131.2 for key dnssec-name-and-shame.com. while building chain of trust