[dns-operations] DNSSEC resolution failure for the "مصر" TLD (xn--wgbh1c)
Manal Ismail
manal at tra.gov.eg
Mon Jul 24 09:13:30 UTC 2023
Dear Viktor ..
Many thanks for the heads up ..
We are in the middle of updating the records .. The update is currently pending one approval .. Once done, today, all problems will hopefully be fixed ..
Kind Regards
--Manal
-----Original Message-----
From: dns-operations <dns-operations-bounces at dns-oarc.net> On Behalf Of Viktor Dukhovni
Sent: Wednesday, July 19, 2023 7:57 PM
To: Christine Arida <chris at tra.gov.eg>
Cc: Manal Ismail <manal at tra.gov.eg>; admin <admin at tra.gov.eg>
Subject: DNSSEC resolution failure for the "مصر" TLD (xn--wgbh1c)
The "ﻢﺻﺭ" (xn--wgbh1c) IDN ccTLD has a DNSKEY RRset (algorithm 13) which does not match its root zone DS RRset (algorithm 8). This makes the entire TLD zone invalid from the perspective of DNSSEC validating
resolvers:
https://dnsviz.net/d/xn--wgbh1c/ZLgSxA/dnssec/
This appears to have been the case for some time now:
https://dnsviz.net/d/xn--wgbh1c/ZKrM7Q/dnssec/
and earlier dates show expired algorithm 8 signatures:
https://dnsviz.net/d/xn--wgbh1c/ZJxIrQ/dnssec/
While it is nice to see an apparent rollover to algorithm 13 in progress, course the DS RRset needs to include the new algorithm (13) before the RSA keys for algorithm 8 can be dropped from the zone apex.
Though at this point likely easier to replace the root zone DS records with matching algoritm 13 data.
--
Viktor.
More information about the dns-operations
mailing list