.xn--mgbayh7gpa (Arabic Jordan) DNSSEC Outage: 2026-05-06 to ongoing

Updated: May 29, 2026

Overview

This page gives some details on the ongoing .xn--mgbayh7gpa (Arabic Jordan) DNSSEC outage beginning May 6, 2026.

Timeline / DNSViz

Cloudflare public DNS: with and without DNSSEC

DNSSEC can be disabled in queries via the CD (checking disabled) bit. Let's compare DNS queries with and without DNSSEC. With DNSSEC, DNS queries result in SERVFAIL:

$ dig +dnssec ns xn--mgbayh7gpa. @1.1.1.1.

; <<>> dig 9.10.8-P1 <<>> +dnssec ns xn--mgbayh7gpa. @1.1.1.1.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29820
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 7 (Signature Expired): 66 6f 72 20 44 4e 53 4b 45 59 20 78 6e 2d 2d 6d 67 62 61 79 68 37 67 70 61 2e 2c 20 69 64 20 3d 20 33 31 37 31 35 3a 20 52 52 53 49 47 20 78 6e 2d 2d 6d 67 62 61 79 68 37 67 70 61 2e 2c 20 65 78 70 69 72 61 74 69 6f 6e 20 3d 20 31 37 37 38 30 36 39 35 38 31 ("for DNSKEY xn--mgbayh7gpa., id = 31715: RRSIG xn--mgbayh7gpa., expiration = 1778069581")
;; QUESTION SECTION:
;xn--mgbayh7gpa. IN NS

;; Query time: 804 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon May 25 21:15:12 UTC 2026
;; MSG SIZE rcvd: 135

You have to disable DNSSEC to make DNS queries work:

$ dig +cd ns xn--mgbayh7gpa. @1.1.1.1.

; <<>> dig 9.10.8-P1 <<>> +cd ns xn--mgbayh7gpa. @1.1.1.1.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32110
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 7 (Signature Expired): 66 6f 72 20 44 4e 53 4b 45 59 20 78 6e 2d 2d 6d 67 62 61 79 68 37 67 70 61 2e 2c 20 69 64 20 3d 20 33 31 37 31 35 3a 20 52 52 53 49 47 20 78 6e 2d 2d 6d 67 62 61 79 68 37 67 70 61 2e 2c 20 65 78 70 69 72 61 74 69 6f 6e 20 3d 20 31 37 37 38 30 36 39 35 38 31 ("for DNSKEY xn--mgbayh7gpa., id = 31715: RRSIG xn--mgbayh7gpa., expiration = 1778069581")
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;xn--mgbayh7gpa. IN NS

;; ANSWER SECTION:
xn--mgbayh7gpa. 300 IN NS b.cctld-servers.net.jo.
xn--mgbayh7gpa. 300 IN NS d.cctld-servers.net.jo.
xn--mgbayh7gpa. 300 IN NS jo.cctld.authdns.ripe.net.
xn--mgbayh7gpa. 300 IN NS a.cctld-servers.net.jo.
xn--mgbayh7gpa. 300 IN NS c.cctld-servers.net.jo.

;; Query time: 474 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon May 25 21:15:13 UTC 2026
;; MSG SIZE rcvd: 264

Zonemaster

Four different Zonemaster instances saw this DNSSEC outage:

drill trace

Since DNSSEC contains so much garbage, I put the complete drill trace into its own file with the relevant portion below (emphasis added):

[T] xn--mgbayh7gpa. 86400 IN DS 31715 8 2 e7b5191787c7db3c20bfcf917807791eb09917e887ebb7cbb3d11678e9767ad1
;; Domain: xn--mgbayh7gpa.
[B] xn--mgbayh7gpa. 3600 IN DNSKEY 257 3 8 ;{id = 31715 (ksk), size = 4096b}
xn--mgbayh7gpa. 3600 IN DNSKEY 256 3 8 ;{id = 40914 (zsk), size = 2048b}
[B] Error verifying denial of existence for xn--mgbayh7gpa. type A: No keys with the keytag and algorithm from the RRSIG found
;;[S] self sig OK; [B] bogus; [T] trusted; [U] unsigned

Logfile examples