.xn--3bst00m DNSSEC Outage: 2014-04-09

Updated: October 6, 2014

Overview

This page gives some details on the .xn--3bst00m DNSSEC outage from April 9 to April 12, 2014.

DNSViz

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on April 9, 2014:

xn--3bst00m dnssec outage

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users could not resolve names under xn--3bst00m during this outage.

With OpenDNS, queries succeed:

dig ns xn--3bst00m @resolver1.opendns.com

; <<>> DiG 9.4.2-P2 <<>> ns xn--3bst00m @resolver1.opendns.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55291
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xn--3bst00m. IN NS

;; ANSWER SECTION:
xn--3bst00m. 3577 IN NS b.zdnscloud.com.
xn--3bst00m. 3577 IN NS e.zdnscloud.com.
xn--3bst00m. 3577 IN NS a.zdnscloud.com.
xn--3bst00m. 3577 IN NS j.zdnscloud.com.
xn--3bst00m. 3577 IN NS i.zdnscloud.com.
xn--3bst00m. 3577 IN NS c.zdnscloud.com.
xn--3bst00m. 3577 IN NS g.zdnscloud.com.
xn--3bst00m. 3577 IN NS d.zdnscloud.com.
xn--3bst00m. 3577 IN NS f.zdnscloud.com.

;; Query time: 18 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Wed Apr 9 00:27:42 2014
;; MSG SIZE rcvd: 186


With Google Public DNS, queries fail:

$ dig ns xn--3bst00m @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> ns xn--3bst00m @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19070
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xn--3bst00m. IN NS

;; Query time: 483 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Apr 9 00:28:03 2014
;; MSG SIZE rcvd: 29