[swinog] DNSSEC auto-disabled by SWITCH on some .ch domains?

Hey SWINOGgers,

I noticed that DNSSEC was somehow auto-disabled at registry level for some .ch domains I am responsible for. For these domains, no DS records are published anymore in the .ch zone, dnsviz shows a broken chain of trust. However, registrar data still shows that DNSSEC is enabled, but the registry (SWITCH) says it is not... Is this a known problem?

Seems not all DNSSEC protected .ch domains are affected, which leads me to the suspicion that it might have to do with the algorithm being used.

Did SWITCH turn off older algorithms, e.g. algo 7 (RSASHA1-NSEC3-SHA1)? Did I miss an announcement?

Random example, e.g. gkb.ch (notably a bank...)

dig +short @dns1.inventx.ch gkb.ch dnskey 256 3 7 AwEAAdYydDZyd5M3UGS5b4Yv6qlIO5eOSwskJ/DQjiRO0as59ZG6hMDJ VseqslJMTwghdiCrd/sicWvDOszK6Cuqye0+ZEm9tfG6gxgWWmzpSmXQ KDHRG1iV8UF0KSOciFAPp4qRe083KPXu2ChXkTUSAa/iRCcZdFJK2M6l c7Gjjj55 257 3 7 AwEAAbQv5Whc+cna1IbtESB+Pwx+8eP5jfbjhuqiFuU/18qUckR9NxT7 KUCT8GDlRTsGYmuKxcMITvH510CgGOA/6TORaB4iIXRnACmfiiku25/B NHmNJd58ymZ/ED17smVJ4ou77/rhxW+/0Q1iVIAOcY8EblWq3EabepYz E6CY9Vh/RTh2mvSl80h8nZyFotsEwN0LIlc/Pi0qGmy7iTOBqtVsbFVm gssn/2c7IMCA8N2aaP1it8Qi+3DDGDh3N8HSEIVk+nrgQtsqQaLOFPGQ Q0ezahQO6oVGKG4XAHw+2XaZQ3UT0sTcFj3ZVKCcGE4Ddoa3J/gqLQh7 aA44cVIQx+s=

dig +short @a.nic.ch gkb.ch ds

-> no DS record

Working example with algorithm 13 (ECDSA Curve P-256 with SHA-256):

dig +short @ns2.switch.ch switch.ch dnskey 257 3 13 keJOWxnKOCymNa0sPpwp/ioeyvgrXjY9hu8KxWdaxlMFukxquKVLdt2J 5KxGOpmIZZbOXRALfG78FnDsE/k8EQ== 256 3 13 YOf+TLHGeDBL0q6DSpE4vE2ub8RUvniew7xYkZJHocU6je7Ww/MfUeHf B1LEDpFNFloYHFBvWD92gu5MT2ZJ1A== 256 3 13 twHlL7CfhxPadzuRi3wRxEDs+3i/oe9W3heRKiP8CALwpexBZYCjMJ2w Z403h9dJ/iA7CzCTSmvePLGdJ4cIzQ==

dig +short @a.nic.ch switch.ch ds 32265 13 2 8A865736961D246F99D6111BCA060E69908380FD5545D799F21E4652 DA60A17C

Could anybody shed some light on this?

Thx & Gruass, Franco