.GOV DNSSEC Outage: What Happened
Unpacking the 2013 .GOV domain disruption caused by a DNSSEC signing error and its lasting lessons for internet infrastructure.

In the world of internet infrastructure, few things are as critical as the Domain Name System (DNS), the backbone that translates human-readable domain names into machine-readable IP addresses. On August 14, 2013, a brief but significant disruption hit the .GOV top-level domain, rendering many government websites inaccessible to users whose systems enforced DNSSEC validation. This event highlighted the double-edged sword of advanced security measures: while DNSSEC bolsters protection against spoofing and tampering, operational errors in its implementation can lead to widespread downtime.
Understanding DNSSEC and Its Role in Modern Internet Security
DNSSEC, or DNS Security Extensions, is a suite of protocols that add cryptographic authentication to the DNS. Traditional DNS is vulnerable to attacks like cache poisoning, where malicious actors insert false data into resolvers. DNSSEC counters this by digitally signing DNS records, allowing resolvers to verify the authenticity and integrity of responses through public-key cryptography.
Key components include:
- Resource Record Signatures (RRSIG): Cryptographic signatures on DNS records.
- DNSKEY: Public keys used to validate signatures.
- Delegation Signer (DS): Links trust from parent to child zones.
- NSEC/NSEC3: Prove non-existence of records without revealing all data.
By 2013, adoption was growing, especially for high-value domains like .GOV, managed by Verisign under a U.S. government contract. The outage stemmed not from inherent flaws in DNSSEC but from a human error during zone signing.
Timeline of the .GOV Disruption
The incident unfolded rapidly. Early that morning, Verisign published an updated .GOV zone file as part of preparations for an upcoming algorithm rollover. Instead of including signatures from both the legacy algorithm 7 (RSASHA1-NSEC3-SHA1) and the new algorithm 8 (RSA/SHA-256), the zone was signed exclusively with algorithm 8 keys.
Validating resolvers, which check signatures against trusted keys, rejected the zone because algorithm 7 signatures were absent and still referenced in the DNSKEY set. Non-validating resolvers continued unaffected, but strict validators—common in secure enterprise and government networks—failed to resolve .GOV domains.
| Time (UTC) | Event |
|---|---|
| ~10:00 | Erroneous .GOV zone published |
| ~11:00 | Reports emerge on monitoring sites and mailing lists |
| ~12:00 | Verisign detects and republishes corrected zone |
| ~13:00 | Full recovery; Duane Wessels posts explanation |
The outage lasted under three hours but affected thousands of queries globally, as noted in real-time DNS operation discussions.
Root Cause: Algorithm Rollover Preparations Gone Awry
Verisign had announced the rollover weeks earlier to align .GOV with stronger standards used in the root zone and domains like .COM. Algorithm 7 relies on SHA-1 hashing, considered weak against collision attacks by cryptographers. Algorithm 8 upgrades to SHA-256 for better collision resistance.
During a test or staging phase, a software defect in the signing tool omitted dual signatures. The zone propagated quickly via anycast servers, triggering validation failures. This was confirmed by Verisign’s post-incident note: “A software defect resulted in publishing the .gov zone signed only with DNSSEC algorithm 8 keys rather than with both algorithm 7 and 8.”
Such rollovers require a dual-signing period—typically 10-30 days—to allow propagations and TTL expirations, ensuring backward compatibility.
Immediate Response and Community Coordination
Credit goes to Verisign for swift action. Upon alerts from operators like Johannes Ullrich on the SANS ISC Diary, the team rolled back to a valid dual-signed zone. Transparency followed with public explanations on dns-operations@lists.oarc.isc.org.
The DNS community, including tools like DNSViz and Zonemaster, played a pivotal role in detection. These services visualized signature chains, spotlighting the break.
Broader Implications for DNSSEC Deployments
This event underscored operational risks in DNSSEC management:
- Testing Rigor: Pre-production validation in isolated environments prevents live errors.
- Rollback Plans: Automated monitoring and hot-standby zones enable rapid recovery.
- Validator Behavior: Strict vs. opportunistic modes vary by resolver software (e.g., Unbound, BIND).
Post-2013, .GOV completed the rollover successfully, paving the way for algorithm 13 (ECDSAP256SHA256). Today, with NIST deprecating SHA-1 (SP 800-131A), such transitions are routine but demand precision.
Lessons Learned: Best Practices for Zone Administrators
To avoid similar pitfalls:
- Automate Signing: Use tools like OpenDNSSEC for consistent, auditable processes.
- Monitor Continuously: Integrate with services tracking validation status.
- Stage Rollovers:
- Publish dual-signed zones well in advance of key changes.
- Communicate: Notify operators via NANOG, DNS-OARC lists.
- Diversify Algorithms Gradually: Support multiple during transitions.
Statistics from Verisign’s 2023 DNSSEC report show over 1,800 TLDs signed, with incidents rare due to matured tooling.
Similar Incidents in DNSSEC History
The .GOV case wasn’t isolated. In 2018, .SE suffered a multi-hour outage from malformed NSEC3 proofs, impacting 8,000 domains. Iceland’s .IS faced signature expiration issues in 2020. These reinforce that operations, not tech, pose biggest risks.
Comprehensive lists like ianix.com/pub/dnssec-outages.html catalog dozens, aiding prevention.
Current State of DNSSEC in 2026
Over a decade later, DNSSEC covers ~26% of domains but critical TLDs like .GOV remain fully signed. Challenges persist: key management, performance overhead (larger responses), and validator adoption. Emerging protocols like DNS over HTTPS (DoH) integrate DNSSEC natively.
Authorities like ICANN push via Deployment Assistance Programs, emphasizing resilience.
FAQs
What caused the 2013 .GOV outage?
A misconfigured zone signed only with new algorithm 8 keys, breaking validation.
Did it affect all .GOV sites?
Only those queried via DNSSEC-validating resolvers; non-validators worked fine.
How long did it last?
Approximately 2-3 hours until corrected.
Is .GOV still using DNSSEC?
Yes, with advanced algorithms post-rollover.
Can users bypass DNSSEC failures?
Using non-validating resolvers or disabling validation, though not advised for security.
References
- DNSSEC Algorithm and Key Signing Key Rollover Schedule — ICANN. 2013-07-30. https://www.icann.org/registrars/reports/dnssec-rollover.txt
- SP 800-57 Part 1 Revision 5: Recommendation for Key Management — NIST (.gov). 2020-05-01. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
- Verisign DNSSEC Reporting Page — Verisign. 2023-12-31. https://dnssec.verisign.com/
- DNSSEC Operations Mailing List Archive: .gov Incident — DNS-OARC. 2013-08-14. https://lists.oarc.isc.org/pipermail/dns-operations/2013-August/008269.html
- RFC 6781: DNSSEC Operational Practices — IETF. 2012-11-01. https://datatracker.ietf.org/doc/html/rfc6781
Read full bio of medha deb










