On Thu, Nov 29, 2018 at 09:37:53AM -0800, Glen <glen@xxxxxxxx> wrote a message of 19 lines which said: > The problem indeed turned out to be an issue with the domain > registrar account. Duration of the incident, seen by DNSDB <https://www.farsightsecurity.com/solutions/dnsdb/>: ;; first seen: 2018-11-29 08:06:39 -0000 ;; last seen: 2018-11-29 17:11:11 -0000 rfc-editor.org. IN NS ns1641.ztomy.com. rfc-editor.org. IN NS ns2641.ztomy.com. ztomy.com was also seen in the LinkedIn incident <https://www.isc.org/blogs/hijacking-dns-error-ddos-what-happened-and-what-you-can-do/>: ;; first seen 2013-06-20 00:17:09 -0000 ;; last seen 2013-06-20 04:13:15 -0000 linkedin.com. NS ns1617.ztomy.com. linkedin.com. NS ns2617.ztomy.com. > We have resolved that issue. Domain service has been restored. > However, because the registry had suspended the domains by changing > the nameservers for the domains, it may take a number of hours for > the restoration to work its way through DNS caches worldwide. You can see it through RIPE Atlas <https://atlas.ripe.net/>, here with the Blaeu tool <https://framagit.org/bortzmeyer/blaeu>. More than 10 % of the RIPE Atlas probes use a resolver which still see the old NS set: % blaeu-resolve --type NS --requested 100 rfc-editor.org [ns0.amsl.com. ns1.ams1.afilias-nst.info. ns1.hkg1.afilias-nst.info. ns1.mia1.afilias-nst.info. ns1.sea1.afilias-nst.info. ns1.yyz1.afilias-nst.info.] : 83 occurrences [ns1641.ztomy.com. ns2641.ztomy.com.] : 13 occurrences [ns0.ietf.org. ns1.ams1.afilias-nst.info. ns1.hkg1.afilias-nst.info. ns1.mia1.afilias-nst.info. ns1.sea1.afilias-nst.info. ns1.yyz1.afilias-nst.info.] : 1 occurrences [ (TRUNCATED - May have to use --ednssize) ns0.amsl.com. ns1.ams1.afilias-nst.info. ns1.hkg1.afilias-nst.info. ns1.mia1.afilias-nst.info. ns1.sea1.afilias-nst.info. ns1.yyz1.afilias-nst.info.] : 1 occurrences Test #17691720 done at 2018-11-30T08:21:33Z
