xn--y9a3aq TLD DNSSEC Outage: 2015-06-25 to 2015-06-26

Updated: June 27, 2015

Overview

This page gives some details on the xn--y9a3aq TLD DNSSEC outage from June 25, 2015 to June 26, 2015.

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, unlike DNSViz. So here's a screenshot I took on June 25, 2015:

xn--y9a3aq dnssec outage

Timeline / DNSViz

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under xn--y9a3aq during this outage.

With OpenDNS, queries succeed:

$ dig ns xn--y9a3aq. @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> ns xn--y9a3aq. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41820
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xn--y9a3aq. IN NS

;; ANSWER SECTION:
xn--y9a3aq. 172800 IN NS rip.psg.com.
xn--y9a3aq. 172800 IN NS fork.sth.dnsnode.net.
xn--y9a3aq. 172800 IN NS am.cctld.authdns.ripe.net.
xn--y9a3aq. 172800 IN NS sns-pb.isc.org.
xn--y9a3aq. 172800 IN NS ns-cdn.amnic.net.
xn--y9a3aq. 172800 IN NS ns-pch.amnic.net.
xn--y9a3aq. 172800 IN NS ns-pri.amnic.net.

;; Query time: 195 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Thu Jun 25 19:10:14 2015
;; MSG SIZE rcvd: 220


With Google Public DNS, with DNSSEC, queries fail:

$ dig ns xn--y9a3aq. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> ns xn--y9a3aq. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40615
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xn--y9a3aq. IN NS

;; Query time: 86 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jun 25 19:10:21 2015
;; MSG SIZE rcvd: 28

dnscheck

dnscheck.labs.nic.cz archived a DNSSEC outage at 2015-06-25 18:57:47 (requires javascript).

dnscheck.iis.se archived a DNSSEC outage at 2015-06-25 18:57:04 (requires javascript).

Zonemaster

Zonemaster archived this xn--y9a3aq DNSSEC outage.

Logfile examples