DNSSEC administration likely cause of .gov outage - UPDATED
A government website outage that lasted for hours the morning of Aug. 14 was likely caused by a failure to update a cryptographic key necessary for DNSSEC, says cybersecurity researcher Johannes Ullrich.
Websites in the .gov domain were unresponsive for a few hours on Wednesday morning but returned to normal by early afternoon. Ullrich, dean of research at the SANS Technology Institute, says government webmasters appear to have forgotten to update the delegation of signing record that's necessary after updating the key signing key in a domain name system root.
Government websites have utilized DNSSEC since 2009 amid a generalized worry that without it, the domain name system could be hijacked by hackers who could falsely resolve requests for a government webpage and instead return a malicious website.
DNSSEC--it stands for Domain Name System Security Extensions--works by having a key signing key validate shorter zone signing keys that create confidence through public/private cryptographic key match that a typed URL resolves to the correct Internet protocol address. For example, DNSSEC means that government top level domain operators can be reasonably assured that every DNS resolver request for the IP address corresponding to gsa.gov will be answered by the correct one, 126.96.36.199.
The zone signing keys can be changed often, but the key signing key periodically needs replacement as well, Ullrich noted.
"I think they published a new [key signing key] but forgot to update the new [delegation of signing] record to the root zone," he said. That likely meant that DNS resolvers were sending the wrong cryptographic hash to the government root, meaning that browser requests couldn't be resolved.
Officials from the General Services Administration, which administers the .gov domain, did not return phone calls.
Ullrich added it's likely government webmasters simply reverted back to the old key signing key in order to prevent an ongoing outage.
Update Aug. 14, 4:50 p.m.: A GSA official said on background the website outage was triggered by a now-resolved DNSSEC issue and the agency is "still working on analyzing the whole thing." The outage, he added, did not effect users on secure government networks.
- read Ullrich's blog post on the outage