[dns-operations] It's begun...

Chris Thompson cet1 at cam.ac.uk
Thu Oct 24 14:23:44 UTC 2013

On Oct 24 2013, Dan York wrote:

>On 10/24/13 9:12 AM, "Chris Thompson" <cet1 at cam.ac.uk> wrote:
>>At 13:01 23-10-2013, Edward Lewis wrote:
>>>My sensors show 4 new gTLDs in the last hour or so...IDN,
>>>non-ccTLD...added between 1800 and 1900 UTC.
>>Not mentioned yet is that all four appeared already signed and with
>>DS records in the root zone.
>Funny you should mention that... I just published a post this morning
>promoting that fact:

There have been a few new TLDs signed from the start before this "dawn".
I may have missed some, but these certainly were:

  sx               on 2011-12-10   (ccTLD for Sint Maarten)
  post             on 2012-08-08
  xn--mgbx4cd0ab   on 2012-09-21   (IDN for MY = Malaysia)
  xn--l1acc        on 2013-08-18   (IDN for MN = Mongolia)

(the dates may suffer from off-by-one-or-even-more errors).

The last of those is a sad case, however, as a few days after its
initial appearance they performed a KSK rollover, omitting to change
the DS records in the root zone, and the zone has failed validation
ever since.

>From a DNSSEC-advocacy point of view, this is a great step forward as all
>new domains registered under these newgTLDs will at least have the
>*option* of being secured by DNSSEC.
>>But... the two Cyrillic gTLDs (xn--80asehdb & xn--80aswg) are a bit
>>broken, in that NXDOMAIN responses don't validate properly. Neither
>>dnssec-debugger.verisignlabs.com nor dnsviz.net are able to analyse
>>validations problems for NXDOMAIN responses, so I am not quite sure
>>why yet, but e.g.
>>  dig +dnssec www.xn--80asehdb.
>>  dig +dnssec www.xn--80aswg.
>>give SERVFAILs which can be avoided by adding the +cd option.
>Hmmm... interesting.  Perhaps some work is still needed on the operational
>front there...

Part of the problem is that only one NSEC3 record is returned - the
one covering the zone apex, which doesn't necessarily cover the
name queried for. But validation seems to fail even in cases when
the name is so covered. 

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    Roger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715       Cambridge CB3 0RB, United Kingdom.

More information about the dns-operations mailing list