.vn TLD DNSSEC Outage: 2018-03-15

Updated: March 21, 2018

Overview

This page gives some details on the .vn (Vietnam) TLD DNSSEC outage on March 15, 2018. It specifically addresses the 2nd-level DNSSEC failures of com.vn, net.vn, org.vn, etc., which cover a substantial percentage of vn's end-user domains. 2nd-level end-user domains such as example.vn were unaffected, while example.com.vn, example.org.vn and other such domains all failed.

Timeline / DNSViz

• 2018-03-15 03:52:10 UTC — com.vn bogus DNSSEC delegation
• 2018-03-15 03:53:01 UTC — edu.vn bogus DNSSEC delegation
• 2018-03-15 04:00:23 UTC — name.vn bogus DNSSEC delegation
• 2018-03-15 04:01:07 UTC — net.vn bogus DNSSEC delegation
• 2018-03-15 04:10:12 UTC — ac.vn bogus DNSSEC delegation
• 2018-03-15 04:23:49 UTC — org.vn bogus DNSSEC delegation
• 2018-03-15 04:38:28 UTC — com.vn various DNSSEC wreckage
• 2018-03-15 09:24:22 UTC — last personally observed edu.vn DNSSEC failure
• 2018-03-15 12:09:24 UTC — last personally observed net.vn DNSSEC failure

Google Public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC. With DNSSEC, DNS queries result in SERVFAIL:

$ dig +dnssec ns com.vn. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec ns com.vn. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37389
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;com.vn. IN NS

;; Query time: 527 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Mar 15 03:51:23 2018
;; MSG SIZE rcvd: 35

---

You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns com.vn. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +cd ns com.vn. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43373
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;com.vn. IN NS

;; ANSWER SECTION:
com.vn. 20973 IN NS e.dns-servers.vn.
com.vn. 20973 IN NS a.dns-servers.vn.
com.vn. 20973 IN NS f.dns-servers.vn.
com.vn. 20973 IN NS b.dns-servers.vn.
com.vn. 20973 IN NS d.dns-servers.vn.
com.vn. 20973 IN NS g.dns-servers.vn.
com.vn. 20973 IN NS c.dns-servers.vn.

;; Query time: 13 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Mar 15 03:51:23 2018
;; MSG SIZE rcvd: 148

Zonemaster

• zonemaster.net archived com.vn: "No DNSKEYs were returned."
• zonemaster.fr archived com.vn: "No DNSKEYs were returned."
• zonemaster.net archived org.vn: "No DNSKEYs were returned."
• zonemaster.fr archived org.vn: "No DNSKEYs were returned."

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

;; Domain: com.vn.
;; No DNSKEY record found for com.vn.
[U] No data found for: com.vn. type A
;;[S] self sig OK; [B] bogus; [T] trusted

Logfile examples

• [1521085879] unbound[54472:0] info: validation failure <com.vn. NS IN>: No DNSKEY record from 203.119.68.105 for key com.vn. while building chain of trust
• [1521085953] unbound[54472:0] info: validation failure <edu.vn. NS IN>: no signatures from 194.0.1.18
• [1521086379] unbound[54472:0] info: validation failure <name.vn. NS IN>: No DNSKEY record from 203.119.60.105 for key name.vn. while building chain of trust
• [1521086434] unbound[54472:0] info: validation failure <net.vn. NS IN>: no signatures from 203.119.60.105
• [1521086972] unbound[54472:0] info: validation failure <ac.vn. NS IN>: No DNSKEY record from 204.61.216.115 for key ac.vn. while building chain of trust
• [1521087787] unbound[54472:0] info: validation failure <org.vn. NS IN>: No DNSKEY record from 203.119.68.105 for key org.vn. while building chain of trust
• [1521088505] unbound[54472:0] info: validation failure <edu.vn. NS IN>: no signatures from 204.61.216.115
• [1521089011] unbound[54472:0] info: validation failure <net.vn. NS IN>: no signatures from 203.119.68.105
• [1521099130] unbound[54472:0] info: validation failure <edu.vn. NS IN>: no signatures from 194.0.1.18
• [1521099660] unbound[54472:0] info: validation failure <net.vn. NS IN>: no signatures from 203.119.73.105
• [1521105862] unbound[54472:0] info: validation failure <edu.vn. NS IN>: no signatures from 203.119.44.105
• [1521115764] unbound[54472:0] info: validation failure <net.vn. NS IN>: no signatures from 203.119.68.105