www.nsf.gov/A DNSSEC Outage: 2016-07-22 to 2016-07-24

Updated: December 30, 2016

Overview

This page gives some details on the www.nsf.gov/A DNSSEC outage from July 22 to July 24, 2016. It was not the first DNSSEC outage for the National Science Foundation.

Timeline / DNSViz

OpenDNS vs. Google Public DNS

OpenDNS does not support DNSSEC, and instead supports DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for www.nsf.gov/A queries during this outage.

With OpenDNS, without DNSSEC, DNS works:

$ dig www.nsf.gov @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> www.nsf.gov @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65296
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nsf.gov. IN A

;; ANSWER SECTION:
www.nsf.gov. 346 IN A 204.14.135.126

;; Query time: 0 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Jul 22 05:45:08 2016
;; MSG SIZE rcvd: 45


With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec www.nsf.gov @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec www.nsf.gov @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22248
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.nsf.gov. IN A

;; Query time: 74 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jul 22 05:45:08 2016
;; MSG SIZE rcvd: 40

Logfile examples