.vu TLD DNSSEC Outage: 2018-01-11

Updated: January 11, 2018

Overview

This page gives some details on the .vu (Vanuatu) TLD DNSSEC outage on January 11, 2018.

Timeline / DNSViz

Verisign's DNSSEC Debugger

Here's a screenshot I took on January 11, 2018, of the DNSSEC Debugger output:

January 11, 2018 vu TLD DNSSEC outage

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC. With DNSSEC, DNS queries result in SERVFAIL:

$ dig +dnssec ns vu. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec ns vu. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2609
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;vu. IN NS

;; Query time: 863 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 11 00:07:28 2018
;; MSG SIZE rcvd: 31


You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns vu. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd ns vu. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19006
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;vu. IN NS

;; ANSWER SECTION:
vu. 19944 IN NS ns2-cctld.vunic.vu.
vu. 19944 IN NS fork.sth.dnsnode.net.
vu. 19944 IN NS ns1-cctld.vunic.vu.
vu. 19944 IN NS efate.vanuatu.com.vu.
vu. 19944 IN NS anytld.apnic.net.
vu. 19944 IN NS santo.vanuatu.com.vu.
vu. 19944 IN NS rip.psg.com.

;; Query time: 8 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 11 00:07:28 2018
;; MSG SIZE rcvd: 212

Zonemaster

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

;; Domain: vu.
[B] vu. 86400 IN DNSKEY 256 3 10 ;{id = 37496 (zsk), size = 1024b}
vu. 86400 IN DNSKEY 257 3 10 ;{id = 32532 (ksk), size = 2048b}
[U] No data found for: vu. type A
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples