DNS Problems – Resolved

We are seeing an increase in in DNSSEC validation failures on our recursive dns servers. The cause has been identified as a security patch that was applied, which applied a stricter validation policy to domains with DNSSEC enabled. We are currently looking for ways to mitigate the problem.

Update: The cause of these problems has been positively identified as a behavior change that came along with a new version of ISC’s Bind which was was released two days ago in response to a collection of discovered potential security exploits in a group of CVEs.  As always, we strive to push deploy security fixes in our network as quickly as possible and deployed this new version to all of our recursive DNS cluster backend servers over the course of the day starting Thursday AM.  The problem specifically is the removal of SIG(0) combined with a change in behavior for what are seen as “invalid” DNSSEC keys resulting in these being treated as failures instead of being skipped.  We’re currently stuck between a rock and a hard place, a known potential cache poisoning vulnerability, or a version which results in an unknown quantity of broken domains still relying on SIG(0).  More updates forthcoming, we hope to have chosen a path forward to mitigate customer impact from this soon.

Update: We are in the process of rolling back the affected version across our name server clusters.  It is our assessment that the additional complexity we believe is required for one of these potential cache poisoning attacks to succeed in our network justifies rolling back to the previous version rather than other choice which was to entirely disable DNSSEC until the issues with the new version could be resolved.  For additional clarity this was originally brought to our attention by students and staff at usfca.edu who found they were unable to resolve usfca.edu domains this morning, we are not sure how many other affected domains there are or if this issues can rightly be blamed on the upstream DNS server administrators or not.  The roll back should be completed shortly and we’re sorry for any confusion or trouble this may have caused you today.  -Kelsey, Kevan and William

Update 2025-10-31:  As it turns out this problem ended up being a combination of several issues and was actually related to zones that contained a deprecated DNSSEC key type (RSASHA1), even if they also had a valid key as well.  This was additionally confused by RHEL’s security policy framework which triggered the new undesired behavior in Bind.  We are in investigating several work around solutions for this but also expect that Bind will be releasing an update that corrects this behavior relatively soon.

-SOC

webmail upgrade coming soon

Sonic will soon be rolling out an upgrade to https://webmail.sonic.net

You can preview these changes by going to https://webmail-beta.sonic.net

For more information, please use this link: https://forums.sonic.net/viewtopic.php?t=18376

Update: We’re aware of an issue post upgrade regarding contacts in webmail.  Please follow https://forums.sonic.net/viewtopic.php?t=18376&start=40 for details.  A shorter update will be posted here as the situation evolves.

Update: A fix has been made on https://webmail.sonic.net, and anyone still experiencing problems should contact sonic, via a private message on the forums.sonic.net site.  Please see this post called “We’ve applied a fix to the contacts issue” on forums.sonic.net, for more details.

VPN Encryption TLS Update

On Friday, October 24th at 11am PST we will be upgrading our VPN cluster to modify the minumum supported TLS encryption version from 1.1 to 1.2.  Our analysis shows that we do not have any active users connecting with TLS 1.1, however we still wanted to provide this notice for your information. Thank you for your understanding, and thanks for choosing Sonic!

– System Operations team

Intermittent IMAP login issue.

Routine maintenance this evening caused unexpected load on some of our IMAP/POP mail servers that lasted from 11:15pm to 12:12am. During this time some users may have experienced intermittent problems logging in. The situation is believed to be resolved; our operations team will be reviewing the incident to reduce the impact of the same maintenance in the future.

-SOC

Systems Maintenance

Update: Maintenance complete

Beginning at 11pm tonight (10/7/2025), System Operations will be performing updates to various public-facing systems which may lead to short disruptions of those systems.

Maintenance work for each system is expected to be very brief, and the overall maintenance period is scheduled for one hour. An update will be sent upon completion.

Technical Support and Billing availability update for 10/03/2025

We are taking a short break to celebrate our hardworking teams:

Sonic Technical Support will be closed from 11AM to 4PM PST on 10/3/25.
Sonic Billing Team will be closed starting at 11AM on 10/3/25 and reopening on Saturday, 10/4/25 at 8AM.

Give us a call today if you need any assistance in advance!

Thank you for understanding.

IMAP issue – Friday 08/08/2025

Last Friday (08/08/2025), from 11:14pm to 11:42pm PDT, our mail infrastructure had issues with serving requests to imap. The result would be seen as a failure to use imap (such as logging in or retrieving emails) during that time. Delivery of emails were unaffected. Although this MOTD is belated, it is the intent of our team to announce issues close to when they are noticed. At this time, email service should be stable.

4th of July Holiday Hours

Sonic Technical Support will close early at 5 PM on Friday, July 4th. We will return to our regular 8 AM to 10 PM operating hours on Saturday, July 5th.

Our Network Operations team will remain available with reduced staffing for our enterprise, dedicated circuit and colocated customers.

The Billing and Consumer Sales teams will be closed on Friday, July 4th for the holiday and will return to normal operating hours on Saturday, July 5th.

Recursive DNS Issues

We’ve been working on several improvements to our recursive DNS cluster configs to improve performance across the board and better support network growth in new regions beyond our existing service foot print in Northern and Southern California and have rolled out several config changes to the DNS proxies that handle ns1 and ns2.sonic.net over the past week.  What we believed was to be the last of those changes was pushed out this afternoon to the entire fleet after having cooked properly on a few systems at 3:15PM.  After that change was pushed, a significant portion of IPv6 DNS requests appeared to be black holed by some of the servers.  The issues continued until about 3:46PM. We are still unclear on the root cause of this but all services are currently stabilized and running as expected at this time.  We will continue to investigate in the hope that we can identify the cause, it seems possible it could be a bug in the dns specific load balancing software itself.

It is worth noting that our expectation was that most clients would have both v6 and v4 servers configured but it is evident that is not the case and it is likely that the majority of v6 enabled clients on our network with no fail over to v4 requests.  If you have static configured name servers, we’d suggest you list both the v6 and v4 address listed below.

2001:5a8::11
2001:5a8::33
50.0.1.1
50.0.2.2

-Kelsey, William and the rest of Systems.