.na TLD DNSSEC Outage: 2022-10-04

Date: October 4, 2022

Overview

This page gives some details on the .na (Namibia) TLD DNSSEC outage on October 4, 2022. This was not the first DNSSEC outage for Namibia.

Timeline / DNSViz

• 2022-10-04 00:33:44 UTC — Bogus DNSSEC delegation
  • (archive.ph snapshot)
  • (archive.org snapshot)
• 2022-10-04 00:38:30 UTC — Bogus DNSSEC delegation
• 2022-10-04 00:39:20 UTC — Bogus DNSSEC delegation
• 2022-10-04 05:06:45 UTC — Bogus DNSSEC delegation
• 2022-10-04 06:30:04 UTC — Bogus DNSSEC delegation
• 2022-10-04 07:03:38 UTC — Bogus DNSSEC delegation
• 2022-10-04 07:04:24 UTC — Bogus DNSSEC delegation
• 2022-10-04 07:21:50 UTC — Bogus DNSSEC delegation
• 2022-10-04 07:32:23 UTC — Bogus DNSSEC delegation
• 2022-10-04 07:49:30 UTC — Bogus DNSSEC delegation
• 2022-10-04 08:06:52 UTC — Bogus DNSSEC delegation
• 2022-10-04 08:36:23 UTC — Bogus DNSSEC delegation
• 2022-10-04 09:18:52 UTC — Bogus DNSSEC delegation
• 2022-10-04 09:50:50 UTC — Bogus DNSSEC delegation
• 2022-10-04 10:25:24 UTC — Bogus DNSSEC delegation
• 2022-10-04 10:57:18 UTC — Bogus DNSSEC delegation
• 2022-10-04 11:08:03 UTC — Bogus DNSSEC delegation
• 2022-10-04 11:23:15 UTC — Bogus DNSSEC delegation
  • (archive.ph snapshot)
  • (archive.org snapshot)
• 2022-10-04 11:41:47 UTC — DNSSEC outage debris

DNSSEC Debugger

Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from October 4, 2022:

Google DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

$ dig +dnssec ns na. @8.8.8.8.

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> +dnssec ns na. @8.8.8.8.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32206
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;na. IN NS

;; Query time: 15 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Oct 03 20:38:04 EDT 2022
;; MSG SIZE rcvd: 31

---

You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns na. @8.8.8.8.

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> +cd ns na. @8.8.8.8.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64176
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;na. IN NS

;; ANSWER SECTION:
na. 3600 IN NS anyc2.irondns.net.
na. 3600 IN NS na.anycastdns.cz.
na. 3600 IN NS etld-1.anycast.net.
na. 3600 IN NS na-ns.anycast.pch.net.

;; Query time: 15 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Oct 03 20:38:04 EDT 2022
;; MSG SIZE rcvd: 153

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

[T] na. 86400 IN DS 25076 5 1 e3273b3172968f416bceadf4620a18c85abb6dc5
;; Domain: na.
;; Signature ok but no chain to a trusted key or ds record
[S] na. 345600 IN DNSKEY 256 3 8 ;{id = 58095 (zsk), size = 2048b}
na. 345600 IN DNSKEY 256 3 8 ;{id = 1953 (zsk), size = 2048b}
na. 345600 IN DNSKEY 257 3 8 ;{id = 25079 (ksk), size = 4096b}
[S] Existence denied: na. A
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

These Unbound log entries come from 3 different Unbound instances, running different operating systems in 3 different geographical regions.

• [1664843575] unbound[95468:0] info: validation failure <na. NS IN>: No DNSKEY record for key na. while building chain of trust
• [1664843673] unbound[95468:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 185.38.108.108 for key na. while building chain of trust
• [1664843749] unbound[95468:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 185.28.194.194 for key na. while building chain of trust
• [1664843818] unbound[95468:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 195.253.64.7 for key na. while building chain of trust
• [1664843893] unbound[95468:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 204.61.216.35 for key na. while building chain of trust
• [1664844119] unbound[95468:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 45.54.45.54 for key na. while building chain of trust
• [1664864983] unbound[25317:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 204.61.216.35 for key na. while building chain of trust
• [1664875724] unbound[25317:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 204.61.216.35 for key na. while building chain of trust
• [1664875798] unbound[25317:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 185.38.108.108 for key na. while building chain of trust
• [1664875913] unbound[25317:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 195.253.64.7 for key na. while building chain of trust
• [1664883240] unbound[426:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 45.54.45.54 for key na. while building chain of trust
• [1664883448] unbound[426:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 185.38.108.108 for key na. while building chain of trust
• [1664883517] unbound[426:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 195.253.64.7 for key na. while building chain of trust
• [1664883539] unbound[426:0] info: validation failure <na. NS IN>: key for validation na. is marked as invalid because of a previous validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 195.253.64.7 for key na. while building chain of trust
• [1664883880] unbound[25317:0] info: validation failure <na. NS IN>: no keys have a DS with algorithm RSASHA1 from 195.253.64.7 for key na. while building chain of trust