.ve (Venezuela) TLD DNSSEC Outage: 2023-07-19 to 2023-07-20

Date: July 20, 2023

Overview

This page gives some details on the .ve (Venezuela) TLD DNSSEC outage from July 19, 2023 to July 20, 2023.

Timeline / DNSViz

Here's a screenshot example:

Venezuela DNSSEC outage

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC. With DNSSEC, DNS queries result in SERVFAIL:

$ dig +dnssec ns ve. @8.8.8.8.

; <<>> dig 9.10.8-P1 <<>> +dnssec ns ve. @8.8.8.8.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7723
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
; EDE: 9 (DNSKEY Missing): 4e 6f 20 44 4e 53 4b 45 59 20 6d 61 74 63 68 65 73 20 44 53 20 52 52 73 20 6f 66 20 76 65 ("No DNSKEY matches DS RRs of ve")
;; QUESTION SECTION:
;ve. IN NS

;; Query time: 2509 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 19 19:26:33 UTC 2023
;; MSG SIZE rcvd: 67

You have to disable DNSSEC to make DNS work:

$ dig +cd ns ve. @8.8.8.8.

; <<>> dig 9.10.8-P1 <<>> +cd ns ve. @8.8.8.8.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24799
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ve. IN NS

;; ANSWER SECTION:
ve. 18000 IN NS a.lactld.org.
ve. 18000 IN NS ns3.nic.ve.
ve. 18000 IN NS ns4.nic.ve.
ve. 18000 IN NS ns5.nic.ve.
ve. 18000 IN NS ns6.nic.ve.
ve. 18000 IN NS ssdns-tld.nic.cl.

;; Query time: 138 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 19 19:26:34 UTC 2023
;; MSG SIZE rcvd: 163

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

[T] ve. 86400 IN DS 14092 8 2 08c74712d9ee7ab88bad9ea011379e2ac419102e209b83cb9c4ee6cfb5ca7e65
;; Domain: ve.
;; Signature ok but no chain to a trusted key or ds record
[S] ve. 18000 IN DNSKEY 257 3 8 ;{id = 14092 (ksk), size = 4096b}
ve. 18000 IN DNSKEY 256 3 8 ;{id = 45093 (zsk), size = 2048b}
ve. 18000 IN DNSKEY 257 3 8 ;{id = 62041 (ksk), size = 4096b}
[S] Existence denied: ve. A
;;[S] self sig OK; [B] bogus; [T] trusted; [U] unsigned

Logfile examples

These logfile examples come from different unbound instances in different geographical locations.