
Some .io nameservers are returning wrong results again - JelteF
At my company (getstream.io) we&#x27;ve been having issues when resolving our domains randomly. After some more investigation it seems some .io nameservers are returning bad results. Specifically ns-a2.io and ns-a4.io. A correct result for crates.io looks like this:<p><pre><code>  $ dig crates.io @ns-a1.io +norecurse

  ; &lt;&lt;&gt;&gt; DiG 9.11.2 &lt;&lt;&gt;&gt; crates.io @ns-a1.io +norecurse
  ;; global options: +cmd
  ;; Got answer:
  ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 18874
  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, 
  ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 4096
  ;; QUESTION SECTION:
  ;crates.io.			IN	A

  ;; AUTHORITY SECTION:
  crates.io.		86400	IN	NS	dns3.easydns.ca.
  crates.io.		86400	IN	NS	dns1.easydns.com.
  crates.io.		86400	IN	NS	dns2.easydns.net.

  ;; Query time: 83 msec
  ;; SERVER: 194.0.1.1#53(194.0.1.1)
  ;; WHEN: Wed Sep 20 15:33:13 CEST 2017
  ;; MSG SIZE  rcvd: 127
</code></pre>
A bad one looks like the following:<p><pre><code>  dig crates.io @ns-a4.io +norecurse

  ; &lt;&lt;&gt;&gt; DiG 9.11.2 &lt;&lt;&gt;&gt; crates.io @ns-a4.io +norecurse
  ;; global options: +cmd
  ;; Got answer:
  ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NXDOMAIN, id: 43223
  ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, 
  ADDITIONAL: 1

  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 4096
  ;; QUESTION SECTION:
  ;crates.io.			IN	A

  ;; AUTHORITY SECTION:
  io.			900	IN	SOA	a0.nic.io. noc.afilias-nst.info. 1497256201 10800 3600 2764800 900

  ;; Query time: 10 msec
  ;; SERVER: 74.116.179.1#53(74.116.179.1)
  ;; WHEN: Wed Sep 20 15:34:59 CEST 2017
  ;; MSG SIZE  rcvd: 105
</code></pre>
This has happened last year as well, so I wouldn&#x27;t recommend running something important on a .io domain: https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12813065
======
ashitlerferad
I Contacted Cloudflare and the response was:

"Unfortunately this stops DNS traffic before it gets to Cloudflare so it is
not a problem we can solve for you as much as we would love to. Our
recommendation right now would be to contact your domain registrar to
understand more about this problem."

Contacted the registrar (iwantmyname.com) and their response:

"You're using external CloudFlare hosting, so our DNS management isn't being
used. We don't have any access to the hosting account or the ability to
address issues there. It does appear there's some issue with propagation."

~~~
ashitlerferad
Update from registrar:

"It sounds like it's a registry issue. The .IO registry was returning bad data
for some of its nameservers. However our upstream partner said that that seems
to have been resolved in the last hour or so."

------
AndyMcConachie
If you DNSSEC sign your domain then the NXDOMAIN would be rejected without
associated NSEC records. .io has a DS record in the root-zone. At the very
least caches would only be populated with the correct answer.

This is of course assuming the lookups are done using a validating resolver.

------
duellsy
We're copping the same at [https://elev.io](https://elev.io) as well...

Timing couldn't be worse, we did a product release on ProductHunt earlier
today :(

~~~
the_common_man
I am curious why you need a product hunt launch when you have over 500
companies using you? Are they all paying customers?

~~~
hayksaakian
I think they want more customers.

------
eyablon
Afilias manages the .io domain. Give them a call: +1 866.368.4636
[https://afilias.info/contact-us/support](https://afilias.info/contact-
us/support)

~~~
bryanlarsen
It looks like they manage a lot of other domains, all of which should be
avoided. Does anybody have a canonical list? It would be silly to switch away
from .io to another of their domains!

~~~
sp332
Not official, but
[https://en.wikipedia.org/wiki/Afilias](https://en.wikipedia.org/wiki/Afilias)

Registry operator: .info, .mobi .pro

Service provider for registry operators of: .org, .ngo, .lgbt, .asia, .aero,

Provider of domain name registry services for countries: .MN (Mongolia), .AG
(Antigua and Barbuda), .BM (Bermuda), .BZ (Belize), .GI (Gibraltar), .IN
(India), .ME (Montenegro), .SC (the Seychelles), and .VC (St. Vincent and the
Grenadines).

Provided ancillary support to: .SG (Singapore) and .HN (Honduras).

------
benmmurphy
.io seems to always have problems. its really sad that lots of people use this
domain because it looks cool :( [at work we use this as well]

------
JelteF
If this is affecting you it's best to put a long TTL (at least 1 hour) on your
domains. That way a good lookup will be cached longer and it will affect less
people.

~~~
cjsuk
Won't this also cache a bad record for longer like NXDOMAIN which is what
we're getting?

~~~
JelteF
No, the TTL for caching NXDOMAIN is decided by the nameservers SOA record. In
this case 900 (15 minutes). The reason for this is that if there's no domain
there's also no way to get it's TTL.

~~~
cjsuk
Thanks for the clarification - much appreciated!

------
nodesocket
Confirmed ns-a2.io and ns-a4.io don't seem to be responding with DNS results.

------
mittermayr
Customers are already filling up our support inbox, so same here. They can
access nic.io

Any quick fix ideas I can get to a customer without technical command-line
experience? Changing DNS or modifying hosts file is not really an option.

~~~
abofh
They boned :-/

In this case, think of it as if the guy who made your maps is giving you the
wrong country's maps. It's well made, clear, concise and wrong. There's no
'greater' authority then the map maker, so unless you can reconfigure your
users to believe in a different map (change hosts/dns), there's nothing that
can be done.

Patience :(

------
JelteF
The nameservers seem to be returning correct results for our domain again :)
(getstream.io). However, the issue is still there for crates.io, so this seems
the outage is still partially ongoing.

------
adrienjarthon
Indeed I noticed the same issue for my customers using .io domains (and me
unfortunately):
[https://twitter.com/updownio/status/910508435720065024](https://twitter.com/updownio/status/910508435720065024)

Seems to be getting better now. High TTL helps but mostly if it was there
before so do it now for the next downtime (it's frequent with .io)

~~~
JelteF
The problem is not actually downtime, because DNS handles that automatically
if at least one nameserver is up. The problem is nameservers returning
incorrect results. But yeah, .io has quite frequent problems.

~~~
adrienjarthon
Yeah for a DNS server returning wrong results is basically a downtime to me

------
cjsuk
We're seeing this as well.

Edit: it has now taken out our CI infrastructure and dev environments as it's
caching NXDOMAIN records.

------
devnull42
It appears that the issue at first impacted all servers in the anycast pool
however eventually it only impacted servers ns-a2 and ns-a4. Those servers
started returning NXDOMAINs. I am wondering if this was related to the root
server key change yesterday. .IO seems to struggle with basic DNS engineering.

------
snakegums
I guess that's just the cost of business when your start up is located in the
British Indian Ocean Territory

------
dten
I wonder if they messed up again and let someone register the .io nameservers

[https://thehackerblog.com/the-io-error-taking-control-of-
all...](https://thehackerblog.com/the-io-error-taking-control-of-all-io-
domains-with-a-targeted-registration/)

------
jlukic
Wanted to confirm same issue for my .io domains. This has gotten a lot of
people up this morning.

------
maplebed
For the curious, the first failure I saw was at 13:15UTC and the last was
14:59UTC.

~~~
laCour
13:14 UTC through 15:54 UTC here.

------
dedene
Same issue here. Does NIC.io have a status page for their root servers
somewhere?

------
bhouston
We are getting some client reports of connectivity issues with clara.io. I
suspect it is this issue but haven't been able to confirm.

------
daveknight
IO apears to have nameservers operated by Afilias, CommunityDNS, OneWorld DNS
(which appear to also be CommunityDNS)

    
    
        $ for ns in $(dig +short io. IN NS | sort); do
          ip=$(dig +short ${ns} IN A);
          rev=$(host ${ip} | awk -Fpointer '{print $2}');
          echo -n "= $ns = $ip = $rev = ";
          whois -h whois.ripe.net ${ip} | awk -F: '/^descr:/ && !/RIPE/ {print $2}';
        done
        
        = a0.nic.io. = 65.22.160.17 =  a0.nic.payu. = Afilias NS087 A0
        = b0.nic.io. = 65.22.161.17 =  b0.nic.payu. = Afilias NS087 B0
        = c0.nic.io. = 65.22.162.17 =  c0.nic.payu. = Afilias NS087 C0
        = ns-a1.io. = 194.0.1.1 =  ns1.communitydns.net. = ICB plc Anycast (via NetConnex AS21396), ICB plc Anycast (via Community DNS AS42909)
        = ns-a2.io. = 194.0.2.1 =  ns-a2.io. = ICB plc Anycast (via Community DNS AS42909)
        = ns-a3.io. = 74.116.178.1 =  b3-1.oneworlddns.net. = Community DNS
        = ns-a4.io. = 74.116.179.1 =  b4-1.oneworlddns.net. = Community DNS
    

It looks like a couple of the CommunityDNS nameservers are carrying a
different version of the zone than the others:

    
    
        dkmpb:~ dknight$ dig -4 +nss io.
        SOA a0.nic.io. noc.afilias-nst.info. 1497256293 10800 3600 2764800 900 from server 65.22.162.17 in 38 ms.
        SOA a0.nic.io. noc.afilias-nst.info. 1497256292 10800 3600 2764800 900 from server 65.22.160.17 in 44 ms.
        SOA a0.nic.io. noc.afilias-nst.info. 1497256201 10800 3600 2764800 900 from server 194.0.2.1 in 62 ms.
        SOA a0.nic.io. noc.afilias-nst.info. 1497256293 10800 3600 2764800 900 from server 194.0.1.1 in 64 ms.
        SOA a0.nic.io. noc.afilias-nst.info. 1497256293 10800 3600 2764800 900 from server 65.22.161.17 in 98 ms.
        SOA a0.nic.io. noc.afilias-nst.info. 1497256293 10800 3600 2764800 900 from server 74.116.178.1 in 101 ms.
        SOA a0.nic.io. noc.afilias-nst.info. 1497256201 10800 3600 2764800 900 from server 74.116.179.1 in 107 ms.
    

And a couple of them are giving bad response

    
    
        echo = Afilias
        dig +noall +norecur +cmd +answer +authority -4 +notcp @a0.nic.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS 
        dig +noall +norecur +cmd +answer +authority -4 +notcp @b0.nic.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS 
        dig +noall +norecur +cmd +answer +authority -4 +notcp @c0.nic.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS 
        echo
        echo = Community DNS
        dig +noall +norecur +cmd +answer +authority -4 +notcp @ns-a1.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS 
        dig +noall +norecur +cmd +answer +authority -4 +notcp @ns-a2.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS 
        dig +noall +norecur +cmd +answer +authority -4 +notcp @ns-a3.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS 
        dig +noall +norecur +cmd +answer +authority -4 +notcp @ns-a4.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS
        
        ====== Afilias ======
        
        ; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp @a0.nic.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS
        ; (1 server found)
        ;; global options: +cmd
        io.			86400	IN	SOA	a0.nic.io. noc.afilias-nst.info. 1497256290 10800 3600 2764800 900
        io.			86400	IN	NS	ns-a3.io.
        io.			86400	IN	NS	b0.nic.io.
        io.			86400	IN	NS	ns-a1.io.
        io.			86400	IN	NS	ns-a4.io.
        io.			86400	IN	NS	ns-a2.io.
        io.			86400	IN	NS	a0.nic.io.
        io.			86400	IN	NS	c0.nic.io.
        hostname.bind.		0	CH	TXT	"ns087b.app22.iad1.afilias-nst.info"
        hostname.bind.		0	CH	NS	hostname.bind.
        shl.io.			86400	IN	NS	ns2.p23.dynect.net.
        shl.io.			86400	IN	NS	ns1.p23.dynect.net.
        shl.io.			86400	IN	NS	ns3.p23.dynect.net.
        shl.io.			86400	IN	NS	ns4.p23.dynect.net.
        shl.io.			86400	IN	NS	ns1.d-zone.ca.
        shl.io.			86400	IN	NS	ns2.d-zone.ca.
        
        ; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp @b0.nic.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS
        ; (1 server found)
        ;; global options: +cmd
        io.			86400	IN	SOA	a0.nic.io. noc.afilias-nst.info. 1497256290 10800 3600 2764800 900
        io.			86400	IN	NS	ns-a1.io.
        io.			86400	IN	NS	c0.nic.io.
        io.			86400	IN	NS	ns-a3.io.
        io.			86400	IN	NS	a0.nic.io.
        io.			86400	IN	NS	ns-a2.io.
        io.			86400	IN	NS	ns-a4.io.
        io.			86400	IN	NS	b0.nic.io.
        hostname.bind.		0	CH	TXT	"ns087b.app12.lax1.afilias-nst.info"
        hostname.bind.		0	CH	NS	hostname.bind.
        shl.io.			86400	IN	NS	ns2.d-zone.ca.
        shl.io.			86400	IN	NS	ns1.p23.dynect.net.
        shl.io.			86400	IN	NS	ns1.d-zone.ca.
        shl.io.			86400	IN	NS	ns4.p23.dynect.net.
        shl.io.			86400	IN	NS	ns2.p23.dynect.net.
        shl.io.			86400	IN	NS	ns3.p23.dynect.net.
        
        ; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp @c0.nic.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS
        ; (1 server found)
        ;; global options: +cmd
        io.			86400	IN	SOA	a0.nic.io. noc.afilias-nst.info. 1497256290 10800 3600 2764800 900
        io.			86400	IN	NS	ns-a1.io.
        io.			86400	IN	NS	c0.nic.io.
        io.			86400	IN	NS	ns-a4.io.
        io.			86400	IN	NS	ns-a2.io.
        io.			86400	IN	NS	ns-a3.io.
        io.			86400	IN	NS	b0.nic.io.
        io.			86400	IN	NS	a0.nic.io.
        hostname.bind.		0	CH	TXT	"ns087b.app25.iad1.afilias-nst.info"
        hostname.bind.		0	CH	NS	hostname.bind.
        shl.io.			86400	IN	NS	ns4.p23.dynect.net.
        shl.io.			86400	IN	NS	ns2.d-zone.ca.
        shl.io.			86400	IN	NS	ns2.p23.dynect.net.
        shl.io.			86400	IN	NS	ns1.d-zone.ca.
        shl.io.			86400	IN	NS	ns1.p23.dynect.net.
        shl.io.			86400	IN	NS	ns3.p23.dynect.net.
    
        ====== Community DNS ======
        
        ; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp @ns-a1.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS
        ; (1 server found)
        ;; global options: +cmd
        io.			86400	IN	SOA	a0.nic.io. noc.afilias-nst.info. 1497256290 10800 3600 2764800 900
        hostname.bind.		0	CH	TXT	"NORM 002590-E2B186"
        shl.io.			86400	IN	NS	ns1.d-zone.ca.
        shl.io.			86400	IN	NS	ns2.d-zone.ca.
        shl.io.			86400	IN	NS	ns1.p23.dynect.net.
        shl.io.			86400	IN	NS	ns2.p23.dynect.net.
        shl.io.			86400	IN	NS	ns3.p23.dynect.net.
        shl.io.			86400	IN	NS	ns4.p23.dynect.net.
        
        ; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp @ns-a2.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS
        ; (1 server found)
        ;; global options: +cmd
        io.			86400	IN	SOA	a0.nic.io. noc.afilias-nst.info. 1497256201 10800 3600 2764800 900
        hostname.bind.		0	CH	TXT	"COMM 002590-E2B186"
        io.			900	IN	SOA	a0.nic.io. noc.afilias-nst.info. 1497256201 10800 3600 2764800 900
        
        ; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp @ns-a3.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS
        ; (1 server found)
        ;; global options: +cmd
        io.			86400	IN	SOA	a0.nic.io. noc.afilias-nst.info. 1497256290 10800 3600 2764800 900
        hostname.bind.		0	CH	TXT	"NORM 001B24-2DB609"
        shl.io.			86400	IN	NS	ns1.d-zone.ca.
        shl.io.			86400	IN	NS	ns2.d-zone.ca.
        shl.io.			86400	IN	NS	ns1.p23.dynect.net.
        shl.io.			86400	IN	NS	ns2.p23.dynect.net.
        shl.io.			86400	IN	NS	ns3.p23.dynect.net.
        shl.io.			86400	IN	NS	ns4.p23.dynect.net.
        
        ; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp @ns-a4.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS
        ; (1 server found)
        ;; global options: +cmd
        io.			86400	IN	SOA	a0.nic.io. noc.afilias-nst.info. 1497256201 10800 3600 2764800 900
        hostname.bind.		0	CH	TXT	"COMM 001B24-2DB609"
        io.			900	IN	SOA	a0.nic.io. noc.afilias-nst.info. 1497256201 10800 3600 2764800 900

~~~
jlgaddis
FWIW, "dig -x" does reverse lookups. Or you can use "ptr" record type and the
.in-addr.arpa "FQDN". No need to switch to "host" for your reverse lookups.

------
codegeek
I tried loading redis.io and got the network error. I thought it was just
their site but looks like a bigger issue with .io.

------
dmuld
This affected my service as well. Where does the root of the problem lie, with
the .IO service itself or somewhere else?

------
treytacon
Yup, we're also seeing this fail for Elastic Cloud (our ES provider which
resolves to nodes on aws.found.io).

------
dmgawel
It affects also our website.

Is there any example of other TLDs having similar issues in past?

------
SEJeff
Not the first time .io has had issues:
[https://www.theregister.co.uk/2017/07/10/io_hijacking_in_tra...](https://www.theregister.co.uk/2017/07/10/io_hijacking_in_transition_cockup/)

------
wjkohnen
We were affected as well, but are back on ns-a[24].io. since about 1550Z.

------
Mojah
You know, it's ironic, but [https://dnsspy.io](https://dnsspy.io) \- which
also uses the .io TLD - would alert whenever something like this happens, so
you don't have to spend hours debugging a DNS issue.

------
mpswardle
Ours (kasko.io) seems to be working again on both ns-a2 and ns-a4

------
lowellmower
Incomplete copy pasta, or your dig commands are off?

------
leftnode
Yup, seeing this as well for one of our .io domains.

------
obeattie
Also seeing this affect several of our .io domains.

------
inka
Same here. Started 14:20 UK time (13:20 UTC).

------
msipenko
.io had a similar issue beginning this year.

------
msipenko
same issue here

------
a13n
We're getting this as well.

------
southpawflo
it's interesting, last night I was trying to get to sci-hub.io and all that
showed up was a blank page. I assumed due to the nature of the site that maybe
it was taken down but instead it's a .io problem

------
tbarbugli
Seems to be fixed now

~~~
a13n
For us too, but not everyone. Seems like they're rolling out some kind of fix.

------
ostap0207
Seeing the same issue

------
RobinUS2
Having same issues

------
daveknight
IO apears to have nameservers operated by Afilias, CommunityDNS, OneWorld DNS

$ for ns in $(dig +short io. IN NS | sort); do ip=$(dig +short ${ns} IN A);
rev=$(host ${ip} | awk -Fpointer '{print $2}'); echo -n "= $ns = $ip = $rev =
"; whois -h whois.ripe.net ${ip} | awk -F: '/^descr:/ && !/RIPE/ {print $2}';
done

= a0.nic.io. = 65.22.160.17 = a0.nic.payu. = Afilias NS087 A0 = b0.nic.io. =
65.22.161.17 = b0.nic.payu. = Afilias NS087 B0 = c0.nic.io. = 65.22.162.17 =
c0.nic.payu. = Afilias NS087 C0 = ns-a1.io. = 194.0.1.1 =
ns1.communitydns.net. = ICB plc Anycast (via NetConnex AS21396), ICB plc
Anycast (via Community DNS AS42909) = ns-a2.io. = 194.0.2.1 = ns-a2.io. = ICB
plc Anycast (via Community DNS AS42909) = ns-a3.io. = 74.116.178.1 =
b3-1.oneworlddns.net. = Community DNS = ns-a4.io. = 74.116.179.1 =
b4-1.oneworlddns.net. = Community DNS

It looks like a couple of the CommunityDNS nameservers are carrying a
different version of the zone than the others:

dkmpb:~ dknight$ dig -4 +nss io. SOA a0.nic.io. noc.afilias-nst.info.
1497256293 10800 3600 2764800 900 from server 65.22.162.17 in 38 ms. SOA
a0.nic.io. noc.afilias-nst.info. 1497256292 10800 3600 2764800 900 from server
65.22.160.17 in 44 ms. SOA a0.nic.io. noc.afilias-nst.info. 1497256201 10800
3600 2764800 900 from server 194.0.2.1 in 62 ms. SOA a0.nic.io. noc.afilias-
nst.info. 1497256293 10800 3600 2764800 900 from server 194.0.1.1 in 64 ms.
SOA a0.nic.io. noc.afilias-nst.info. 1497256293 10800 3600 2764800 900 from
server 65.22.161.17 in 98 ms. SOA a0.nic.io. noc.afilias-nst.info. 1497256293
10800 3600 2764800 900 from server 74.116.178.1 in 101 ms. SOA a0.nic.io.
noc.afilias-nst.info. 1497256201 10800 3600 2764800 900 from server
74.116.179.1 in 107 ms.

And they're giving bad responses

echo = Afilias dig +noall +norecur +cmd +answer +authority -4 +notcp
@a0.nic.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS dig +noall +norecur
+cmd +answer +authority -4 +notcp @b0.nic.io. io. IN SOA hostname.bind. CH TXT
shl.io. IN NS dig +noall +norecur +cmd +answer +authority -4 +notcp
@c0.nic.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS echo

echo = Community DNS dig +noall +norecur +cmd +answer +authority -4 +notcp
@ns-a1.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS dig +noall +norecur
+cmd +answer +authority -4 +notcp @ns-a2.io. io. IN SOA hostname.bind. CH TXT
shl.io. IN NS dig +noall +norecur +cmd +answer +authority -4 +notcp @ns-a3.io.
io. IN SOA hostname.bind. CH TXT shl.io. IN NS dig +noall +norecur +cmd
+answer +authority -4 +notcp @ns-a4.io. io. IN SOA hostname.bind. CH TXT
shl.io. IN NS echo

= Afilias

; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp
@a0.nic.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS ; (1 server found)
;; global options: +cmd io. 86400 IN SOA a0.nic.io. noc.afilias-nst.info.
1497256301 10800 3600 2764800 900 io. 86400 IN NS c0.nic.io. io. 86400 IN NS
ns-a4.io. io. 86400 IN NS b0.nic.io. io. 86400 IN NS a0.nic.io. io. 86400 IN
NS ns-a3.io. io. 86400 IN NS ns-a1.io. io. 86400 IN NS ns-a2.io.
hostname.bind. 0 CH TXT "ns087b.app16.iad1.afilias-nst.info" hostname.bind. 0
CH NS hostname.bind. shl.io. 86400 IN NS ns2.d-zone.ca. shl.io. 86400 IN NS
ns1.d-zone.ca. shl.io. 86400 IN NS ns3.p23.dynect.net. shl.io. 86400 IN NS
ns1.p23.dynect.net. shl.io. 86400 IN NS ns2.p23.dynect.net. shl.io. 86400 IN
NS ns4.p23.dynect.net.

; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp
@b0.nic.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS ; (1 server found)
;; global options: +cmd io. 86400 IN SOA a0.nic.io. noc.afilias-nst.info.
1497256301 10800 3600 2764800 900 io. 86400 IN NS a0.nic.io. io. 86400 IN NS
b0.nic.io. io. 86400 IN NS c0.nic.io. io. 86400 IN NS ns-a1.io. io. 86400 IN
NS ns-a2.io. io. 86400 IN NS ns-a3.io. io. 86400 IN NS ns-a4.io.
hostname.bind. 0 CH TXT "ns087b.app10.lax1.afilias-nst.info" hostname.bind. 0
CH NS hostname.bind. shl.io. 86400 IN NS ns2.d-zone.ca. shl.io. 86400 IN NS
ns2.p23.dynect.net. shl.io. 86400 IN NS ns1.p23.dynect.net. shl.io. 86400 IN
NS ns3.p23.dynect.net. shl.io. 86400 IN NS ns4.p23.dynect.net. shl.io. 86400
IN NS ns1.d-zone.ca.

; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp
@c0.nic.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS ; (1 server found)
;; global options: +cmd io. 86400 IN SOA a0.nic.io. noc.afilias-nst.info.
1497256301 10800 3600 2764800 900 io. 86400 IN NS ns-a2.io. io. 86400 IN NS
c0.nic.io. io. 86400 IN NS ns-a1.io. io. 86400 IN NS a0.nic.io. io. 86400 IN
NS ns-a3.io. io. 86400 IN NS ns-a4.io. io. 86400 IN NS b0.nic.io.
hostname.bind. 0 CH TXT "ns087b.app9.iad1.afilias-nst.info" hostname.bind. 0
CH NS hostname.bind. shl.io. 86400 IN NS ns2.p23.dynect.net. shl.io. 86400 IN
NS ns4.p23.dynect.net. shl.io. 86400 IN NS ns1.p23.dynect.net. shl.io. 86400
IN NS ns2.d-zone.ca. shl.io. 86400 IN NS ns3.p23.dynect.net. shl.io. 86400 IN
NS ns1.d-zone.ca.

= Community DNS

; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp
@ns-a1.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS ; (1 server found)
;; global options: +cmd io. 86400 IN SOA a0.nic.io. noc.afilias-nst.info.
1497256301 10800 3600 2764800 900 hostname.bind. 0 CH TXT "NORM 002590-E2B186"
shl.io. 86400 IN NS ns1.d-zone.ca. shl.io. 86400 IN NS ns2.d-zone.ca. shl.io.
86400 IN NS ns1.p23.dynect.net. shl.io. 86400 IN NS ns2.p23.dynect.net.
shl.io. 86400 IN NS ns3.p23.dynect.net. shl.io. 86400 IN NS
ns4.p23.dynect.net.

; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp
@ns-a2.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS ; (1 server found)
;; global options: +cmd io. 86400 IN SOA a0.nic.io. noc.afilias-nst.info.
1497256301 10800 3600 2764800 900 hostname.bind. 0 CH TXT "COMM 002590-E2B186"
shl.io. 86400 IN NS ns1.d-zone.ca. shl.io. 86400 IN NS ns2.d-zone.ca. shl.io.
86400 IN NS ns1.p23.dynect.net. shl.io. 86400 IN NS ns2.p23.dynect.net.
shl.io. 86400 IN NS ns3.p23.dynect.net. shl.io. 86400 IN NS
ns4.p23.dynect.net. = OneWorldDNS / CommunityDNS?

; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp
@ns-a3.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS ; (1 server found)
;; global options: +cmd io. 86400 IN SOA a0.nic.io. noc.afilias-nst.info.
1497256301 10800 3600 2764800 900 hostname.bind. 0 CH TXT "NORM 001B24-2DB609"
shl.io. 86400 IN NS ns1.d-zone.ca. shl.io. 86400 IN NS ns2.d-zone.ca. shl.io.
86400 IN NS ns1.p23.dynect.net. shl.io. 86400 IN NS ns2.p23.dynect.net.
shl.io. 86400 IN NS ns3.p23.dynect.net. shl.io. 86400 IN NS
ns4.p23.dynect.net.

; <<>> DiG 9.8.3-P1 <<>> +noall +norecur +cmd +answer +authority -4 +notcp
@ns-a4.io. io. IN SOA hostname.bind. CH TXT shl.io. IN NS ; (1 server found)
;; global options: +cmd io. 86400 IN SOA a0.nic.io. noc.afilias-nst.info.
1497256301 10800 3600 2764800 900 hostname.bind. 0 CH TXT "COMM 001B24-2DB609"
shl.io. 86400 IN NS ns1.d-zone.ca. shl.io. 86400 IN NS ns2.d-zone.ca. shl.io.
86400 IN NS ns1.p23.dynect.net. shl.io. 86400 IN NS ns2.p23.dynect.net.
shl.io. 86400 IN NS ns3.p23.dynect.net. shl.io. 86400 IN NS
ns4.p23.dynect.net.

~~~
jlgaddis
Try indenting those lines two spaces.

------
pedrofranceschi
same

------
CoreXtreme
Same issue here! Luckily, all our API clients include a fallback domain.

~~~
jlgaddis
Luckily? No, that sounds intentional and well-planned.

------
johns
Might be limited to Route 53:
[https://status.aws.amazon.com/](https://status.aws.amazon.com/)

~~~
dmuld
I'm not getting that impression from the status update:

"We can confirm that resolution of .io domain names are intermittently failing
due to issues with the .io TLD name servers that are hosted external to AWS.
Route 53 name servers continue to operate normally, but customers who have
sub-domains of .io hosted on Route 53 may experience issues until the .io TLD
name servers hosted externally are resolved."

