educom.edu 4-year DNSSEC Outage: 2012-2017

Updated: January 29, 2017

Overview

This page gives some details on the educom.edu DNSSEC outage that has been going on for over four years — longer than it takes to get an undergraduate degree!

Timeline / DNSViz

DNSSEC Debugger

Unlike DNSViz, Verisign's DNSSEC Debugger doesn't archive results, so here's a screenshot of my web browser's output from January 29, 2017:

January 29, 2017 educom.edu DNSSEC outage

OpenDNS & Google Public DNS

OpenDNS does not support DNSSEC, instead supporting DNSCurve. Google Public DNS currently supports only DNSSEC, and thus, Google's users saw SERVFAIL for queries under educom.edu during this outage.

With OpenDNS, which doesn't support DNSSEC, queries succeed:

$ dig www.educom.edu. @resolver1.opendns.com.

; <<>> DiG 9.4.2-P2 <<>> www.educom.edu. @resolver1.opendns.com.
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51431
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.educom.edu. IN A

;; ANSWER SECTION:
www.educom.edu. 3600 IN A 216.85.144.214

;; Query time: 121 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Sun Sep 18 02:28:31 2016
;; MSG SIZE rcvd: 48


With Google Public DNS, because of DNSSEC, queries fail:

$ dig +dnssec www.educom.edu. @8.8.8.8

; <<>> DiG 9.4.2-P2 <<>> +dnssec www.educom.edu. @8.8.8.8
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11247
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.educom.edu. IN A

;; Query time: 97 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Sep 18 02:28:31 2016
;; MSG SIZE rcvd: 43

dnscheck

Zonemaster

Logfile examples