[dns-operations] xn--l1acc TLD gone bad already

Chris Thompson cet1 at cam.ac.uk
Sun Apr 27 17:16:34 UTC 2014

On Jan 3 2014, I wrote:

>On Sep 6 2013, I wrote:
>>On Aug 22 2013, I wrote:
>>>The TLD "xn--l1acc" (an IDN for Mongolia) which was only added to the root
>>>zone last weekend, signed and with a DS right from the outset, seems to
>>>have got into trouble already.
>>>It looks as if a KSK rollover from a key with id 29566 to one with id 38599
>>>has been applied without changing the DS RRset in the root zone.
>>The mismatched KSK and DS have not changed since then. For a TLD, this
>>seems to be taking an inordinately long time to sort out.
>Well, if anyone agreed that was "inordinately long", I wonder what they
>think of the fact that the same KSK/DS mismatch is still there, three
>months on.
>Apart from that, all the RRSIGs in the zone expired on 2013-09-20.

The latest episode in this saga is that the RRSIGs are refreshed again,
and there is a DLV record for it in dlv.isc.org referencing the current
KSK. But the mismatching DS is still there in the root zone, so the DLV
record isn't helping any validator using a root zone trust anchor, even
if it is using lookaside validation as well.

Chris Thompson               University of Cambridge Information Services,
Email: cet1 at uis.cam.ac.uk    Roger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715       Cambridge CB3 0RB, United Kingdom.

More information about the dns-operations mailing list