[outages] ServiceNow DNSSEC issues?
Michael Sinatra
michael+outages at burnttofu.net
Fri Jan 27 19:54:35 EST 2017
Looks like ServiceNow may have recently botched a KSK roll.
8.8.8.8 is intermittently giving out SERVFAIL responses, and my own
resolvers had SERVFAILs (we are a SN shop), starting around 1545 US/Pacific.
Examining the cache (and DNSVIZ) shows that at some point within the
last 3 hours, the DS record for service-now.com switched from having
keytag 30126 to keytag 31893. The DS record has a TTL of 24 hours.
It appears that at the same time, or a *short* (under 3 hours) time
later, the DNSKEY record for KSK with tag 30126 was removed from
service-now.com. The DNSKEY records have a TTL of 2 hours.
This would have caused systems to continue to reference the cached DS
record to fail validation after the DNSKEY cache TTL expired. (The
DNSKEY would have needed to be retained for at least a full TTL, and
probably 2xTTL to be on the safe side.) Again, this is causing
intermittent breakage of name resolution in service-now.com.
Appendix: repeated queries of the DS record for service-now.com to 8.8.8.8:
;; ANSWER SECTION:
service-now.com. 86395 IN DS 31893 7 1
18035BB11DFF4E2B75D677724833E8FDB9FAEC13
;; Query time: 6 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 28 00:33:58 UTC 2017
;; ANSWER SECTION:
service-now.com. 60788 IN DS 30126 7 1
8EB362449D1500DFFD359200F958471D915F83A8
;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 28 00:33:59 UTC 2017
;; MSG SIZE rcvd: 80
I'll spare you the dig output, but suffice it to say that the auth
servers for service-now.com don't have KSK 30126 in their DNSKEY RRSET.
michael
More information about the Outages
mailing list