Several NIST services such as time.nist.gov or www.nist.gov are not reachable if you use a DNSSEC-validating resolver (as you should). These names are aliases to something under the broken zone glb.nist.gov. There are four DS in nist.gov for glb.nist.gov, 56334, 7398, 56900 and 21797. There are four DNSKEY in nist.gov, 31787, 20630, 38289 and 60249. As you can see there is not one key in common... As a result, everything under glb.nist.gov SERVFAILs since at least 2016-08-25 17:27:40 UTC. Also, there is no email in the SOA of nist.gov and the whois of .gov is not informative :-( Here is a test by the RIPE Atlas probes in the USA. 28 % of the probes cannot resolve time.nist.gov because they get the SERVFAIL: % atlas-resolve -r 500 -c US time.nist.gov [ERROR: FORMERR] : 5 occurrences [216.228.192.69] : 3 occurrences [TIMEOUT(S)] : 11 occurrences [131.107.13.100] : 9 occurrences [64.113.32.5] : 2 occurrences [128.138.140.44] : 2 occurrences [132.163.4.101] : 6 occurrences [132.163.4.102] : 8 occurrences [132.163.4.103] : 12 occurrences [128.138.141.172] : 34 occurrences [24.56.178.140] : 193 occurrences [129.6.15.30] : 4 occurrences [216.229.0.179] : 48 occurrences [129.6.15.28] : 5 occurrences [129.6.15.27] : 8 occurrences [ERROR: SERVFAIL] : 143 occurrences Test #4699376 done at 2016-08-26T08:44:13Z And here is a test with the popular public resolver Google Public DNS: % dig @8.8.8.8 A time.nist.gov ; <<>> DiG 9.10.3-P4-Debian <<>> @8.8.8.8 A time.nist.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 35848 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;time.nist.gov. IN A ;; Query time: 2 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Aug 26 10:50:48 CEST 2016 ;; MSG SIZE rcvd: 42 And here with online DNS testing services: http://dnsviz.net/d/glb.nist.gov/V78qjA/dnssec/ https://zonemaster.net/test/2e7cf7509e346b82