[jlgaddis]

What's the mistake?

The reason there are multiple DNS servers is in case one/some of them have problems. There are two other root servers for the .io. zone that are apparently functioning just fine. That means the overall system is working as intended, no?

Also, I don't think we know (yet) why five of the seven are down. If it turns out to be some "amateur hour" mistake then, sure, I could see it being used against ICB. If, however, the underlying issue is/was out of their control, then why should they be penalized?

ETA: It appears that the name servers are actually "up". They respond to ICMP echo requests but aren't answering queries:

  $ ping -q -c 5 a.nic.io
  PING a.nic.io (64.251.31.179): 56 data bytes

  --- a.nic.io ping statistics ---
  5 packets transmitted, 5 packets received, 0.0% packet loss
  round-trip min/avg/max/stddev = 45.123/45.283/45.453/0.106 ms

  $ dig ns docker.io @a.nic.io

  ; <<>> DiG 9.10.2 <<>> ns docker.io @a.nic.io
  ;; global options: +cmd
  ;; connection timed out; no servers could be reached

[falcolas]

To be fair, even if it was "amateur hour", it was apparently mitigated by practices which kept two of the seven up.

I've watched other companies do far worse.

[lewisheadden]

Try using +norec in dig and you'll get a response.

[sajal83]

Interesting, it works locally for me when using +norec (i.e. Recursion Desired = false)... but is there a valid reason for an authoritative to to respond anything if RD is set to true? FYI Pulse always sets RD=true

[jlgaddis]

Interesting. I was using "+trace" earlier (which implies "+norec", IIRC) and still wasn't getting a response from most of them.