educom.edu 5-year DNSSEC Outage: 2012-2017

Updated: July 15, 2018

Overview

This page gives some details on the educom.edu DNSSEC outage that persisted for over five years — longer than it takes to get an undergraduate degree!

Timeline / DNSViz

2012-12-20 04:38:57 UTC — Bogus DNSSEC delegation
2013-12-03 07:45:02 UTC — Bogus DNSSEC delegation
2014-09-17 21:29:06 UTC — Bogus DNSSEC delegation
2015-12-16 21:29:37 UTC — Bogus DNSSEC delegation
2016-09-17 21:29:05 UTC — Bogus DNSSEC delegation
2017-01-29 13:29:38 UTC — Bogus DNSSEC delegation
2018-01-27 05:29:00 UTC — Bogus DNSSEC delegation
2018-07-05 03:55:58 UTC — Bogus DNSSEC delegation
2018-07-09 00:14:40 UTC — last personally observed DNSSEC failure

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from January 29, 2017:

January 29, 2017 educom.edu DNSSEC outage

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec www.educom.edu. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec www.educom.edu. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62368
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.educom.edu. IN A

;; Query time: 1087 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 27 05:59:22 2018
;; MSG SIZE rcvd: 43

You have to disable DNSSEC to make DNS queries work:

$ dig +cd www.educom.edu. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd www.educom.edu. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35070
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.educom.edu. IN A

;; ANSWER SECTION:
www.educom.edu. 3599 IN A 216.85.144.214

;; Query time: 85 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 27 05:59:22 2018
;; MSG SIZE rcvd: 48

dnscheck

dnscheck.iis.se archived this educom.edu DNSSEC outage, noting "Inconsistent security for educom.edu - DS found at parent, but no DNSKEY found at child."
dnscheck.labs.nic.cz also archived this educom.edu DNSSEC outage, noting "Inconsistent security for educom.edu - DS found at parent, but no DNSKEY found at child."

Zonemaster

zonemaster.net archived this educom.edu DNSSEC outage, noting "Delegation from parent to child is not properly signed (no_dnskey; no_dnskey; no_dnskey; no_dnskey; no_dnskey)."
zonemaster.fr archived this educom.edu DNSSEC outage, noting "Delegation from parent to child is not properly signed (no_dnskey; no_dnskey; no_dnskey; no_dnskey; no_dnskey)."

Logfile examples

[1474166112] unbound[11969:0] info: validation failure <www.educom.edu. A IN>: No DNSKEY record from 216.85.144.250 for key educom.edu. while building chain of trust
[1531095280] unbound[96822:0] info: validation failure <educom.edu. A IN>: No DNSKEY record from 216.85.144.250 for key educom.edu. while building chain of trust