Dear Viktor ..
Many thanks for the heads up ..
We are in the middle of updating the records .. The update is currently pending
one approval .. Once done, today, all problems will hopefully be fixed ..
Kind Regards
--Manal
-----Original Message-----
From: dns-operations <dns-operations-boun...@dns-oarc.net> On Behalf Of Viktor
Dukhovni
Sent: Wednesday, July 19, 2023 7:57 PM
To: Christine Arida <ch...@tra.gov.eg>
Cc: Manal Ismail <ma...@tra.gov.eg>; admin <ad...@tra.gov.eg>
Subject: DNSSEC resolution failure for the "مصر" TLD (xn--wgbh1c)
The "ﻢﺻﺭ" (xn--wgbh1c) IDN ccTLD has a DNSKEY RRset (algorithm 13) which does
not match its root zone DS RRset (algorithm 8). This makes the entire TLD zone
invalid from the perspective of DNSSEC validating
resolvers:
https://dnsviz.net/d/xn--wgbh1c/ZLgSxA/dnssec/
This appears to have been the case for some time now:
https://dnsviz.net/d/xn--wgbh1c/ZKrM7Q/dnssec/
and earlier dates show expired algorithm 8 signatures:
https://dnsviz.net/d/xn--wgbh1c/ZJxIrQ/dnssec/
While it is nice to see an apparent rollover to algorithm 13 in progress,
course the DS RRset needs to include the new algorithm (13) before the RSA keys
for algorithm 8 can be dropped from the zone apex.
Though at this point likely easier to replace the root zone DS records with
matching algoritm 13 data.
--
Viktor.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
