On Jul 12, 2017 11:46 PM, "César de Tassis Filho via Outages" < outages@outages.org> wrote: Well, this domain has a broken DNSSEC setup: http://dnsviz.net/d/aer hq.org/dnssec/ Every recursive DNS server that validates DNSSEC (except for Google Public DNS, as stated here[1]) will not resolve this domain. César [1] https://developers.google.com/speed/public-dns/faq#gdns_ validation_failure Actually, that page says: " If Google Public DNS cannot validate a response (due to misconfiguration, missing or incorrect RRSIG records, etc.), it will return an error response (SERVFAIL) instead. **However, if the impact is significant (e.g. a very popular domain is failing validation), we may temporarily disable validation on the zone until the problem is fixed.**" (Emphasis added) This is through the use of RFC7646 (Negative Trust Anchors) - the use is very seldom, manual, and only for very popular names. (Apologies for formatting, etc - rushed, about to board a plane) On Wed, Jul 12, 2017 at 6:37 PM, Tom Elliott via Outages < outages@outages.org> wrote:

Comcast subscribers around Wash D.C. are unable to resolve aerhq.org. Subscribers of other ISPs resolve site. Anyone else seeing something like this?

Thanks,

Tom Elliott

_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages

_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages