.xn--wgbh1c TLD DNSSEC Outage: 2025-10-19 to 2025-10-24

Updated: December 21, 2025

Overview

This page gives some details on the .xn--wgbh1c (IDN TLD) DNSSEC outage from December 19 to December 24, 2025. This was not the first DNSSEC outage for xn--wgbh1c.

Timeline / DNSViz

DNSSEC Debugger

Here's a screenshot of my web browser's output from October 20, 2025:

October 20, 2025 .xn--wgbh1c (IDN TLD) DNSSEC outage

Cloudflare DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC.

$ dig +dnssec ns xn--wgbh1c. @1.1.1.1.

; <<>> dig 9.10.8-P1 <<>> +dnssec ns xn--wgbh1c. @1.1.1.1.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18148
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 7 (Signature Expired): 66 6f 72 20 44 4e 53 4b 45 59 20 78 6e 2d 2d 77 67 62 68 31 63 2e 2c 20 69 64 20 3d 20 36 35 33 35 30 3a 20 52 52 53 49 47 20 78 6e 2d 2d 77 67 62 68 31 63 2e 2c 20 65 78 70 69 72 61 74 69 6f 6e 20 3d 20 31 37 36 30 38 38 31 36 38 31 ("for DNSKEY xn--wgbh1c., id = 65350: RRSIG xn--wgbh1c., expiration = 1760881681")
;; QUESTION SECTION:
;xn--wgbh1c. IN NS

;; Query time: 389 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Oct 20 13:54:14 UTC 2025
;; MSG SIZE rcvd: 123

You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns xn--wgbh1c. @1.1.1.1.

; <<>> dig 9.10.8-P1 <<>> +cd ns xn--wgbh1c. @1.1.1.1.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14654
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 7 (Signature Expired): 66 6f 72 20 44 4e 53 4b 45 59 20 78 6e 2d 2d 77 67 62 68 31 63 2e 2c 20 69 64 20 3d 20 36 35 33 35 30 3a 20 52 52 53 49 47 20 78 6e 2d 2d 77 67 62 68 31 63 2e 2c 20 65 78 70 69 72 61 74 69 6f 6e 20 3d 20 31 37 36 30 38 38 31 36 38 31 ("for DNSKEY xn--wgbh1c., id = 65350: RRSIG xn--wgbh1c., expiration = 1760881681")
;; QUESTION SECTION:
;xn--wgbh1c. IN NS

;; ANSWER SECTION:
xn--wgbh1c. 300 IN NS ns1.dotmasr.eg.
xn--wgbh1c. 300 IN NS ns3.dotmasr.eg.
xn--wgbh1c. 300 IN NS ns2.dotmasr.eg.
xn--wgbh1c. 300 IN NS ns4.dotmasr.eg.

;; Query time: 377 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Oct 20 13:54:14 UTC 2025
;; MSG SIZE rcvd: 205

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file, with the relevant portion below (emphasis added):

[T] xn--wgbh1c. 86400 IN DS 65350 13 2 5ece34228c4114fc455e07f4bb4b3df8b501d874c4a4070acbb378f41f17a0e5
xn--wgbh1c. 86400 IN DS 65350 13 1 746dd718f1bdae3b4f2578767c4b47a039501641
;; Domain: xn--wgbh1c.
[B] xn--wgbh1c. 3600 IN DNSKEY 256 3 13 ;{id = 20968 (zsk), size = 256b}
xn--wgbh1c. 3600 IN DNSKEY 257 3 13 ;{id = 65350 (ksk), size = 256b}
[B] Error verifying denial of existence for xn--wgbh1c. type A: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted; [U] unsigned

Logfile examples