educom.edu 5-year DNSSEC Outage: 2012-2017

Updated: July 15, 2018

Overview

This page gives some details on the educom.edu DNSSEC outage that persisted for over five years — longer than it takes to get an undergraduate degree!

Timeline / DNSViz

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from January 29, 2017:

January 29, 2017 educom.edu DNSSEC outage

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

With DNSSEC, DNS queries fail:

$ dig +dnssec www.educom.edu. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec www.educom.edu. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62368
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.educom.edu. IN A

;; Query time: 1087 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 27 05:59:22 2018
;; MSG SIZE rcvd: 43


You have to disable DNSSEC to make DNS queries work:

$ dig +cd www.educom.edu. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd www.educom.edu. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35070
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.educom.edu. IN A

;; ANSWER SECTION:
www.educom.edu. 3599 IN A 216.85.144.214

;; Query time: 85 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 27 05:59:22 2018
;; MSG SIZE rcvd: 48

dnscheck

Zonemaster

Logfile examples