validatorsearch.verisignlabs.com 3-year DNSSEC Outage: 2013-2016

Updated: February 10, 2017

Overview

This page gives some details on the validatorsearch.verisignlabs.com DNSSEC outage that began on September 10, 2013.

Timeline / DNSViz

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under validatorsearch.verisignlabs.com during this outage.

With OpenDNS, which doesn't support DNSSEC, queries succeed:

$ dig validatorsearch.verisignlabs.com. @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> validatorsearch.verisignlabs.com. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5572
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;validatorsearch.verisignlabs.com. IN A

;; ANSWER SECTION:
validatorsearch.verisignlabs.com. 7200 IN A 72.13.58.64

;; Query time: 214 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Sep 16 05:07:45 2016
;; MSG SIZE rcvd: 66


With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec validatorsearch.verisignlabs.com. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec validatorsearch.verisignlabs.com. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27533
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;validatorsearch.verisignlabs.com. IN A

;; Query time: 245 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep 16 05:07:45 2016
;; MSG SIZE rcvd: 61

dnscheck

Zonemaster

Logfile examples