Halting the rollout of DNSSEC support for additional top-level domains

#1

We just received the attached technical note from Verisign regarding our planned roll-out of DNSSEC support to more top-level domains.

They observe that our assumption that nic.tld is owned by the TLD registry only applies to new top-level domains - not to older ones established before 2000, and not to ccTLDs. As a result, this could allow an unintended party to gain control of a TLD.

We’re halting plans to roll out the new root while we consider the best way to remedy this.

verisign-ens-root-change-issues-2019-04-12.pdf (181.3 KB)

3 Likes

#2

Curious as to the rationale behind using nic.tld rather than just tld for holding the TXT record.

0 Likes

#3

ICANN forbids registrars to set TXT records on TLDs.

We do have an alternative, however - we could provide registrars with a means to submit a signed message (such as said TXT record) without hosting it on DNS.

0 Likes