internetsociety.org DNSSEC Outage:
2017-02-19 to 2017-02-20

Updated: February 20, 2017

Overview

This page gives some details on the internetsociety.org DNSSEC outage from February 19 to February 20, 2017. The Internet Society is one of the biggest supporters of DNSSEC and this is not the first DNSSEC outage for Internet Society.

Timeline / DNSViz

Verisign's DNSSEC Debugger

Verisign doesn't archive test results, to here's a screenshot I took of my web browser's output on February 19, 2017:

internetsociety.org DNSSEC outage, February 19, 2017

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, and instead supports DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under internetsociety.org during this outage.

With OpenDNS, queries succeed:

$ dig www.internetsociety.org @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> www.internetsociety.org @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20277
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.internetsociety.org. IN A

;; ANSWER SECTION:
www.internetsociety.org. 73 IN A 212.110.167.151

;; Query time: 0 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Feb 20 00:06:19 2017
;; MSG SIZE rcvd: 57

With Google Public DNS, with DNSSEC, queries fail:

$ dig +dnssec www.internetsociety.org @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec www.internetsociety.org @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36872
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.internetsociety.org. IN A

;; Query time: 125 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 20 00:06:19 2017
;; MSG SIZE rcvd: 52

dnscheck

Zonemaster

Twitter

Logfile examples