While I was writing this post for Pulse last year, to note that the Top Level Domain (TLD) for Côte d’Ivoire (.ci) had been signed, I noticed that both .ke (Kenya) and .bw (Botswana) were unsigned since 15 September and 22 June respectively. Both of these domains had previously been signed. It’s very troubling to see core Internet infrastructure like country-code DNS move backward from a secure to an insecure state. I kept an eye on the situation in Kenya, and am really happy to report that .ke is again DNSSEC-signed since 18 March this year. The Botswana TLD remains unsigned.
These events got me thinking—how common is it that signed ccTLDs revert to being unsigned? After a little bit of data manipulation on Observable we can see that (ignoring what seem to be very short-lived transient outages or data collection problems) there are several domains where the DNSSEC security posture has varied over time.
We often post short articles on Pulse to highlight newly signed TLDs and I was getting ready to pen such a post to celebrate the Zambian TLD (.zm) moving to a signed state. But as you can see from the chart above, .zm was actually signed for nearly four years between 2015 and 2019. We can also see that the recent long DNSSEC outage in Kenya wasn’t the first as there was a considerable outage in 2015.
- Madagascar (.mg) was signed from 2016 to 2019 but is no longer.
- Myanmar (.mm) had a long outage from 2019 to 2020.
- Syria (.sy) was signed in 2016 and remained so until 2018 but has been unsigned since.
Finally, it’s interesting to note the relatively short but still multi-day outage of the New Zealand TLD (.nz) that occurred in 2012 shortly after it was initially signed.
If any ccTLD operators are reading this and would like to share the kind of operational challenges that result in signed country-code TLDs becoming unsigned, we’re all ears at [email protected].