are your local resolvers forwarding to 8.8.8.8? I tried a small sample of public resolvers and only the google once failed. Maybe DNSSEC? (looks like the NIST signature rotated yesterday)
1.1.1.1 gm.nist.gov. netops.nist.gov. 2889174 10800 1080 2419200 300 8.8.8.8 failed 8.8.4.4 failed 75.75.75.75 gm.nist.gov. netops.nist.gov. 2889174 10800 1080 2419200 300 9.9.9.9 gm.nist.gov. netops.nist.gov. 2889174 10800 1080 2419200 300 On 6/14/21 6:35 AM, Matthew Huff via Outages wrote: > External email warning - This email originated outside the company. Please do > not click links or open attachments unless you were expecting this > communication. - SANS Security Team - > > We have to query and compare against NIST time servers for FINRA compliance. > This morning I noticed our systems are unable to DNS query the NIST time > servers. Neither our local resolvers or google (8.8.8.8) work. > > [root@bacall log]# dig @8.8.8.8 time-a-g.nist.gov > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> @8.8.8.8 > time-a-g.nist.gov > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36018 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 > ;; QUESTION SECTION: > ;time-a-g.nist.gov. IN A > > ;; Query time: 6 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) > ;; WHEN: Mon Jun 14 06:27:45 EDT 2021 > ;; MSG SIZE rcvd: 46 > > [root@bacall log]# dig @8.8.8.8 nist.gov in soa > > ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> @8.8.8.8 nist.gov in soa > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17779 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 > ;; QUESTION SECTION: > ;nist.gov. IN SOA > > ;; Query time: 5 msec > ;; SERVER: 8.8.8.8#53(8.8.8.8) > ;; WHEN: Mon Jun 14 06:31:59 EDT 2021 > ;; MSG SIZE rcvd: 37 > > The time servers are documented here: > https://urldefense.com/v3/__https://tf.nist.gov/tf-cgi/servers.cgi__;!!MlQdS1fu!DZRm9lRTouO4RyYpsdoZy2u792hhsKWBND7n9t0k6c_z15nmXjO3j7ufO18Zog$ > > Using the IP addresses work, it look like the nist.gov domain is offline. > > Matthew Huff | Director of Technical Operations | OTA Management LLC > > Office: 914-460-4039 > mh...@ox.com | > https://urldefense.com/v3/__http://www.ox.com__;!!MlQdS1fu!DZRm9lRTouO4RyYpsdoZy2u792hhsKWBND7n9t0k6c_z15nmXjO3j7s2_kXJlQ$ > ........................................................................................................................................... > > _______________________________________________ > Outages mailing list > Outages@outages.org > https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/outages__;!!MlQdS1fu!DZRm9lRTouO4RyYpsdoZy2u792hhsKWBND7n9t0k6c_z15nmXjO3j7vlVeiO4w$ >
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Outages mailing list Outages@outages.org https://puck.nether.net/mailman/listinfo/outages