usfj.mil DNSSEC Outage: 2015-01-26 to 2015-01-27

Updated: January 27, 2015

Overview

This page gives some details on the usfj.mil DNSSEC outage from January 26 to January 27, 2015. The outage lasted over 29 hours.

Timeline / DNSViz

Verisign's DNSSEC Debugger

Here's a screenshot I took on January 3, 2015, of the DNSSEC Debugger output:

usfj.mil DNSSEC outage January 26, 2015

OpenDNS vs. Google Public DNS

While Google Public DNS supports DNSSEC, OpenDNS supports the superior DNSCurve, which is (among other advantages) immune to DNSSEC failures. During this outage, Google failed to resolve names under usfj.mil while OpenDNS worked normally.

With OpenDNS, queries succeed:

$ dig www.usfj.mil. @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> www.usfj.mil. @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52872
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.usfj.mil. IN A

;; ANSWER SECTION:
www.usfj.mil. 6020 IN A 215.1.46.23

;; Query time: 133 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Jan 25 23:28:41 2015
;; MSG SIZE rcvd: 46

With Google Public DNS, queries fail:

$ dig www.usfj.mil. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> www.usfj.mil. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13671
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.usfj.mil. IN A

;; Query time: 309 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jan 25 23:29:18 2015
;; MSG SIZE rcvd: 30

Logfile examples