DNSSEC is an important protocol by which DNS zone records are cryptographically signed. The protocol permits an internet user to be confident that a particular web site is what it purports to be rather than a fake or substitute web site created by an intermeddler or wrongdoer. The protocol also offers many other benefits too numerous to discuss here in detail.
I use GoDaddy for hosting of this blog and I use GoDaddy to provide DNSSEC protection for the blog. Unfortunately GoDaddy has implemented DNSSEC in a way that does not work well with the way that it provides blog hosting. This has led to three intervals in the past year during which the DNSSEC protection did not work for the domain blog.oppedahl.com. The result has been that some visitors (those whose connection to the Internet is sophisticated enough to make use of the protection offered by DNSSEC) have been unable to visit the blog web site during those intervals.
In technical terms, what GoDaddy has screwed up during those three intervals is that it has stopped providing DS records for blog.oppedahl.com in the oppedahl.com zone file.
It is a big disappointment that GoDaddy did not fix the bug in its implementation of DNSSEC after the first failure, which was about a year ago. When that first failure happened a year ago, it looks as though GoDaddy fixed the problem manually, by manually re-inserting the all-important DS records into the zone file. But did not correct the underlying problem, which is that GoDaddy’s DNS setup for blog.oppedahl.com is fragile and breaks at the slightest provocation, like changing some other record in the zone file.
Then around eight months ago some change that should have been harmless led once again to GoDaddy failing to provide DS records for blog.oppedahl.com in the oppedabl.com zone file. GoDaddy eventually got the DS records back into place, but again apparently only due to some manual update. GoDaddy’s mistakes in implementing DNSSEC generally remained uncorrected.
Three days ago the fragility of GoDaddy’s implementation of DNSSEC revealed itself again, because once again GoDaddy stopped providing DS records for blog.oppedahl.com. What’s frustrating with GoDaddy is that when I try to explain the problem (the blog.oppedahl.com subdomain lacks any DS records), the response from the GoDaddy tech support person is the telephone equivalent of a deer in the headlights.
The image above, from VeriSign’s DNS Analyzer, shows that GoDaddy is to blame.
Anyway after something like the fourth call to GoDaddy tech support in three days, I finally reached someone who understood the problem. And supposedly GoDaddy’s “advanced tech support” will now manually re-insert the missing DS records into the zone file.
Of course what needs to happen is that GoDaddy needs to correct its implementation of DNSSEC so that it handles subdomains (such as blog.oppedahl.com) reliably rather than in a fragile way.
So anyway if you have been unable to reach this blog during the past three days, that’s why.