usfj.mil DNSSEC Outage: 2015-03-19 to 2015-03-20
Updated: March 20, 2015
Overview
This page gives some details on the usfj.mil DNSSEC outage from March 19, 2015 to March 20, 2015. The outage lasted approximately 19.5 hours.
Timeline / DNSViz
- 2015-03-19 07:59:28 UTC: RRSIGs expire
- 2015-03-19 14:47:05 UTC: expired RRSIGs
- 2015-03-19 21:03:37 UTC: expired RRSIGs
- 2015-03-20 02:49:13 UTC: expired RRSIGs
- 2015-03-20 03:27:56 UTC: new DNSKEY RRSIGs
- 2015-03-20 14:45:49 UTC: outage over
Verisign's DNSSEC Debugger
Here's a screenshot I took on March 20, 2015, of the DNSSEC Debugger output:
OpenDNS vs. Google Public DNS
While Google Public DNS supports DNSSEC, OpenDNS supports the superior DNSCurve, which is (among other advantages) immune to DNSSEC failures. During this outage, Google failed to resolve names under usfj.mil while OpenDNS worked normally.
With OpenDNS, queries succeed:
$ dig www.usfj.mil. @resolver1.opendns.com.
; <<>> DiG 9.4.2-P2 <<>> www.usfj.mil. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50163
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.usfj.mil. IN A
;; ANSWER SECTION:
www.usfj.mil. 7151 IN CNAME www.dodpw.defense.gov.edgesuite.net.
www.dodpw.defense.gov.edgesuite.net. 251 IN CNAME a1603.dscb.akamai.net.
a1603.dscb.akamai.net. 20 IN A 23.63.227.168
a1603.dscb.akamai.net. 20 IN A 23.63.227.128
;; Query time: 13 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Mar 20 04:00:41 2015
;; MSG SIZE rcvd: 143
With Google Public DNS, queries fail:
$ dig www.usfj.mil. @8.8.8.8
; <<>> DiG 9.4.2-P2 <<>> www.usfj.mil. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56454
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.usfj.mil. IN A
;; Query time: 343 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 20 03:59:23 2015
;; MSG SIZE rcvd: 30