Strange failure on XN--MGBA3A4F16A.

I'm running unbound 1.9.1 from the FreeBSD package. I have dnssec
validation turned on.

When I try to look up the XN--MGBA3A4F16A. TLD, after a delay I get
SERVFAIL. I'm using a local root served by NSD which handles the
query without trouble. I turned off the local root, same problem.

This happens to be the IDN version of .ir which resolves without
trouble. Public resolvers like 8.8.8.8 resolve it too.

Any suggestions?

(In case you were wondering, I ran a script which checks the NS records
of every TLD that's supposed to be in the root, and I found that one
and only that one failed.)

Same for unbound 1.8.3, without running a local root.

A restart with enabled verbosity to see what's going on, of
course worked like a charm

Note the TTL is pretty short (1440, did someone confuse MTU for TTL?)

Manual checking:

# dig ns XN--MGBA3A4F16A. @a.nic.ir. time out
# dig ns XN--MGBA3A4F16A. @b.nic.ir. SERVFAIL,
# dig ns XN--MGBA3A4F16A. @ir.cctld.authdns.ripe.net. works.

I guess unbound's detection, in combination with the short TTL and
2 out of 3 failing servers, is causing this. But in theory, unbound
should be able to get a hold of this domain properly.....

Paul

I've no answer, but I'm surprised, TLDs are so horribly bad configured...

- https://zonemaster.net/result/1068a6655b94e95e
- http://dnsviz.net/d/xn--mgba3a4f16a/dnssec/
- http://ednscomp.isc.org/ednscomp/7f8ac3b08e

Andreas