For over four days, a crucial server within the Internet’s domain name system (DNS) experienced an unexplained glitch, causing it to fall out of sync with its 12 peer root servers. The server, operated by Cogent Communications, is one of the 13 essential root servers that manage the Internet’s root zone.

C-root server lag: Typically, these root servers, which are clusters of geographically dispersed servers, synchronize rapidly to maintain Internet stability. However, the C-root server, managed by Cogent, stopped updating on Saturday, leading to a three-day lag compared to the other servers. This issue, flagged by French engineer Stéphane Bortzmeyer, forced engineers to delay scheduled updates for the .gov and .int domain name servers, which were set to implement new DNSSEC cryptographic keys.

DNSSEC delay: Christian Elmerot, a Cloudflare engineer overseeing the .gov DNSSEC transition, confirmed the situation was being monitored and the DNSSEC update would be postponed until the C-root server stabilized. The potential risks included increased susceptibility to DNS cache poisoning and other security threats if the cryptographic keys were not uniform across all root servers.

Network connectivity disruption: The glitch coincided with another issue that prevented access to the C-root website, also managed by Cogent. This problem was traced to Cogent transferring the website’s IP address to Orange Ivory Coast, causing further confusion. The root server issues emerged amid Cogent’s recent termination of peering agreements with several carriers, including a partial “depeering” with Tata Communications, which impacted connectivity for many sites in the Asia Pacific region.

Cogent responded late Wednesday, acknowledging the glitch and attributing it to an unrelated routing policy change. They stated the issue was resolved within 25 hours of identification, ensuring no DNS queries went unanswered, though root zone freshness was temporarily compromised. The exact relationship between the various issues remains unclear.