[dns-operations] DNSSEC problem with "xn--mgbx4cd0ab"

Chris Thompson cet1 at cam.ac.uk
Sat Dec 1 20:33:00 UTC 2012


[Copied to hostmaster at mynic.net.my as SOA.rname for the TLD]

I noticed that the TLD "xn--mgbx4cd0ab" (IDN for Malaysia) had fallen out
of the green set at http://stats.research.icann.org/dns/tld_report/ for
the last couple of days, despite the fact that it has DS records in the
root zone. And in fact a validating resolver gets SERVFAILs for it.

It seems that there is a mismatch between the DS records and the DNSKEY
records in the zone. http://dnssec-debugger.verisignlabs.com/xn--mgbx4cd0ab
says "The DNSKEY RRset was not signed by any keys in the chain-of-trust".

The DS records are for keys with ids 17106 and 21774. The DNSKEY
corresponding to the latter is revoked, while the one corresponding to
the former is present but is not used to sign the DNSKEY RRset. The only
KSK that is so used has id 21138, and there is no DS referencing it.

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.


More information about the dns-operations mailing list