Analyzing Internationalized (IDN) Country Code TLDs (2025-03)

We did a quick DNS Institute DNS Analyzer run for the 61 country code TLDs that are Internationalized Domain Names (IDN) using xn-- punycode. This represented 132 different checks and identified 8437 mostly-repeated anomalies or failures (from 47 unique checks). A small sample of the significant or interesting checks is below.

Normally, country code TLDs use the two-character (in ASCII) ISO 3166-1 codes. But some countries also have one or more top-level domains using a local script. Behind the scenes, DNS clients convert Unicode domain names into a string of ASCII characters, prefixed with "xn--" using the Punycode encoding algorithm, while the user interfaces like web browsers display the script. While DNS may work with the non-ASCII script, currently none of the delegated servers nor the root servers served for the original Unicode names (we checked). More information may be seen in RFC 5890. The IDN country code domains can be seen at IANA Root Zone Database.

DNS Institute is providing free portal use of its DNS Analyzer for small ccTLDs (that aren't managed by mega DNS providers). Contact DNS Institute to sign up. This exhaustive DNS test suite of over 200 tests is based on IETF/RFC standards, registry policies, government mandates, and vendor best practices, including for IPv6 and DNSSEC. It has bibliographical citations and summaries for the test decisions. It has been used to analyze tens of thousands of domains owned by Fortune 500 companies, S&P Global Banks, TLDs, and several national governments. DNS Institute has detected and collected millions of DNS anomalies, including numerous security vulnerabilities related to DNS including with General Motors, Walmart, Fandango, Qurate, SEB Bank, L'Oreal, New York University, Nordea Bank, DigiBank, Deutsche Bank, Kaspersky, and many others.

xn--pgbs0dh. تونس (Tunisia) — D107070: Nameserver response source address must match the queried destination address.
xn--mgbai9azgqp6j. پاکستان (Pakistan) — D104300: There must be at least one answering NS delegation. (All of their servers timed out UDP and TCP and IPv6 and IPv4, so this ccTLD was effectively dead.)
xn--l1acc. мон (Mongolia in Cyrillic script) — D104610: Working nameservers should be in at least two separate Autonomous System (AS) Originations (IPv4).
xn--mgbpl2fh. سودان (Sudan) — D104250: There should be at least two answering NS delegations (which has a compound effect like D104600: Working nameservers must be in at least two topologically-separate networks (IPv4)).
xn--mgbcpq6gpa1a. البحرين (Bahrain) — D107820: SOA serial number should be similar from each nameserver. (Only 1380 seconds difference, assuming the serial which shows to be epoch time, but the SOA REFRESH was 900 seconds so it showed a delay. Except it is less than the SOA RETRY time.)
xn--fzc2c9e2c. ලංකා (Sri Lanka) — D105230: NS records must match the parent's delegated NS records.
xn--xkc2al3hye2a. இலங்கை (Sri Lanka) — D104160: The nameserver must answer over TCP. (192.248.121.3 returned REFUSED)
xn--mgberp4a5d4ar. السعودية (Saudi Arabia) — D107400: Maximum of seven NS delegations is recommended.
xn--lgbbat1ad8j. الجزائر (Algeria) — D103500: SOA MINIMUM (negative caching TTL) recommended maximum is 1 hour (Unbound and PowerDNS Recursor default max) and D103400 for 3 hours (BIND9 default max) (five days is a major outlier).
xn--lgbbat1ad8j. الجزائر (Algeria) — D104150: The nameserver must answer over UDP. (204.61.216.104 returned SERVFAIL)
xn--mgbtx2b. عراق (Iraq) — D104150: The nameserver must answer over UDP. (194.117.57.105 UDP timeout)
xn--ygbi2ammx. فلسطين (Palestine) — D104160: The nameserver must answer over TCP. (213.244.82.147 EHOSTUNREACH No route to host)

Many other problems were detected as the DNS Institute DNS Analyzer followed delegations iterating through every possible chain. Four of the 61 domains had no complete IPv6 support. Thirteen of the domains didn't have DNSSEC signed records. See our previous research identifying other TLD problems.