usfj.mil DNSSEC Outage: 2015-02-12 to 2015-02-13

Updated: February 13, 2015

Overview

This page gives some details on the usfj.mil DNSSEC outage from February 12, 2015 to February 13, 2015. The outage lasted approximately 9 hours.

Timeline / DNSViz

Verisign's DNSSEC Debugger

Here's a screenshot I took on February 12, 2015, of the DNSSEC Debugger output:

usfj.mil DNSSEC outage February 12, 2015

OpenDNS vs. Google Public DNS

While Google Public DNS supports DNSSEC, OpenDNS supports the superior DNSCurve, which is (among other advantages) immune to DNSSEC failures. During this outage, Google failed to resolve names under usfj.mil while OpenDNS worked normally.

With OpenDNS, queries succeed:

$ dig www.usfj.mil. @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> www.usfj.mil. @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24103
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.usfj.mil. IN A

;; ANSWER SECTION:
www.usfj.mil. 2031 IN CNAME www.dodpw.defense.gov.edgesuite.net.
www.dodpw.defense.gov.edgesuite.net. 300 IN CNAME a1603.dscb.akamai.net.
a1603.dscb.akamai.net. 20 IN A 23.67.252.17
a1603.dscb.akamai.net. 20 IN A 23.67.252.19

;; Query time: 313 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Feb 12 16:46:34 2015
;; MSG SIZE rcvd: 143

With Google Public DNS, queries fail:

$ dig www.usfj.mil. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> www.usfj.mil. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27482
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.usfj.mil. IN A

;; Query time: 403 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Feb 12 16:46:12 2015
;; MSG SIZE rcvd: 30

Logfile examples