Here Today, Gone Tomorrow

Picture of Mat Ford
Technology Insights, Internet Society
Twitter logo
LinkedIn logo
Facebook logo
April 19, 2023

While I was writing this post for Pulse last year, to note that the Top Level Domain (TLD) for Côte d’Ivoire (.ci) had been signed, I noticed that both .ke (Kenya) and .bw (Botswana) were unsigned since 15 September and 22 June respectively even though both of these domains had previously been signed. It’s troubling to see core Internet infrastructure like country-code DNS move backward from a secure to an insecure state. 

I kept an eye on the situation in Kenya, and I’m happy to report that .ke is again DNSSEC-signed since 18 March this year. The Botswana TLD remains unsigned.

These events got me thinking—how common is it that signed ccTLDs revert to being unsigned? After a little data manipulation on Observable we can see that (ignoring what seem to be very short-lived transient outages or data collection problems) there are several domains where the DNSSEC security posture has varied over time.

Figure 1 — DNSSEC-signed status of a selection of ccTLDs for the period 2011 – 2023 (mouseover to highlight individual ccTLDs)

We often post short articles on the Pulse Blog to highlight newly signed TLDs and I was getting ready to write such a post to celebrate the Zambian TLD (.zm) moving to a signed state. But as you can see from the chart above, .zm was signed for nearly four years between 2015 and 2019. We can also see that the recent DNSSEC outage in Kenya wasn’t the first as there was a considerable outage in 2015. Other ‘unsignings’ include:

  • Madagascar (.mg) was signed from 2016 to 2019 but is no longer. (STOP PRESS: While this post was being prepared for publication, .mg was signed once again – let’s hope it stays that way!)
  • Myanmar (.mm) had a long outage from 2019 to 2020. 
  • Syria (.sy) was signed in 2016 and remained so until 2018 but has since been unsigned.

Finally, it’s interesting to note the relatively short but still multi-day outage of the New Zealand TLD (.nz) in 2012, shortly after it was initially signed.

If any ccTLD operators are reading this and would like to share the kind of operational challenges that result in signed country-code TLDs becoming unsigned, we’re all ears at [email protected].