Update .kh SLDs

[brian-peter-dickson]

• Description of Organization

• Reason for PSL Inclusion

• DNS verification via dig

• Run Syntax Checker (make test)

• Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _PSL txt record in place

Submitter affirms the following:

• We are listing any third party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)
• This request was not submitted with the objective of working around other third party limits
• The Guidelines were carefully read and understood, and this request conforms
• The submission follows the guidelines on formatting

---

For Private section requests that are submitting entries for domains that match their organization website's primary domain:

Seriously, carefully read the downline flow of the PSL and the guidelines.
Your request could very likely alter the cookie and certificate (as well as other) behaviours on your 
core domain name in ways that could be problematic for your business.

Rollback is really not predicatable, as those who use or incorporate the PSL do what they do, and when.
It is not within the PSL volunteers' control to do anything about that.  

The volunteers are busy with new requests, and rollbacks are lowest priority, so if something gets broken 
it will stay that way for an indefinitely long while.

(Link: about propogation/expectations)

• Yes, I understand. I could break my organization's website cookies etc. and the rollback timing, etc is acceptable. Proceed.

---

Description of Organization

Organization Website:

Individual, not representing my employer.
DNS architect at GoDaddy.
No relationship with domain being updated.
Doing update to enumerate second level domains as an addition to the existing wildcard entry *.kh.

Reason for PSL Inclusion

Voluntary improvement to entry for kh, so that things like RPZ zones can be scripted from the actual SLDs.
RPZs (response policy zones) are ordinary DNS zones, and as such, interior wildcards don't work.
Instead of having 'foo.*.kh' the result of enumerated list of SLDs would result in 'foo.SLD.kh'.
(I have submitted similar PRs for several other CCTLDs.)

DNS Verification via dig

Dig was run for each of the SLDs in the PR. The dig output demonstrated that the SLDs exist (possibly as ENTs).

; <<>> DiG 9.16.13 <<>> @ns1.dns.net.kh. com.kh. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39825
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com.kh. IN NS

;; ANSWER SECTION:
com.kh. 10800 IN NS dns1.online.com.kh.
com.kh. 10800 IN NS ns4.apnic.net.
com.kh. 10800 IN NS ns1.dns.net.kh.
com.kh. 10800 IN NS ns.camnet.com.kh.

;; Query time: 196 msec
;; SERVER: 203.223.32.21#53(203.223.32.21)
;; WHEN: Tue Sep 28 13:38:11 PDT 2021
;; MSG SIZE rcvd: 138

; <<>> DiG 9.16.13 <<>> @ns1.dns.net.kh. edu.kh. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12893
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;edu.kh. IN NS

;; ANSWER SECTION:
edu.kh. 10800 IN NS ns.camnet.com.kh.
edu.kh. 10800 IN NS ns1.dns.net.kh.
edu.kh. 10800 IN NS dns1.online.com.kh.
edu.kh. 10800 IN NS ns4.apnic.net.

;; Query time: 197 msec
;; SERVER: 203.223.32.21#53(203.223.32.21)
;; WHEN: Tue Sep 28 13:38:12 PDT 2021
;; MSG SIZE rcvd: 142

; <<>> DiG 9.16.13 <<>> @ns1.dns.net.kh. gov.kh. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45643
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gov.kh. IN NS

;; ANSWER SECTION:
gov.kh. 10800 IN NS ns4.apnic.net.
gov.kh. 10800 IN NS ns.camnet.com.kh.
gov.kh. 10800 IN NS dns1.online.com.kh.
gov.kh. 10800 IN NS ns1.dns.net.kh.

;; Query time: 196 msec
;; SERVER: 203.223.32.21#53(203.223.32.21)
;; WHEN: Tue Sep 28 13:38:12 PDT 2021
;; MSG SIZE rcvd: 142

; <<>> DiG 9.16.13 <<>> @ns1.dns.net.kh. mil.kh. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40433
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mil.kh. IN NS

;; ANSWER SECTION:
mil.kh. 10800 IN NS ns.camnet.com.kh.
mil.kh. 10800 IN NS dns1.online.com.kh.
mil.kh. 10800 IN NS ns1.dns.net.kh.
mil.kh. 10800 IN NS ns4.apnic.net.

;; Query time: 195 msec
;; SERVER: 203.223.32.21#53(203.223.32.21)
;; WHEN: Tue Sep 28 13:38:12 PDT 2021
;; MSG SIZE rcvd: 142

; <<>> DiG 9.16.13 <<>> @ns1.dns.net.kh. net.kh. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64308
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;net.kh. IN NS

;; ANSWER SECTION:
net.kh. 10800 IN NS dns1.online.com.kh.
net.kh. 10800 IN NS ns.camnet.com.kh.
net.kh. 10800 IN NS ns1.dns.net.kh.
net.kh. 10800 IN NS ns4.apnic.net.

;; Query time: 203 msec
;; SERVER: 203.223.32.21#53(203.223.32.21)
;; WHEN: Tue Sep 28 13:38:12 PDT 2021
;; MSG SIZE rcvd: 138

; <<>> DiG 9.16.13 <<>> @ns1.dns.net.kh. org.kh. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19388
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;org.kh. IN NS

;; ANSWER SECTION:
org.kh. 10800 IN NS ns1.dns.net.kh.
org.kh. 10800 IN NS dns1.online.com.kh.
org.kh. 10800 IN NS ns.camnet.com.kh.
org.kh. 10800 IN NS ns4.apnic.net.

;; Query time: 196 msec
;; SERVER: 203.223.32.21#53(203.223.32.21)
;; WHEN: Tue Sep 28 13:38:13 PDT 2021
;; MSG SIZE rcvd: 142

; <<>> DiG 9.16.13 <<>> @ns1.dns.net.kh. per.kh. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26741
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;per.kh. IN NS

;; ANSWER SECTION:
per.kh. 10800 IN NS ns1.dns.net.kh.
per.kh. 10800 IN NS ns.camnet.com.kh.
per.kh. 10800 IN NS ns4.apnic.net.
per.kh. 10800 IN NS dns1.online.com.kh.

;; Query time: 196 msec
;; SERVER: 203.223.32.21#53(203.223.32.21)
;; WHEN: Tue Sep 28 13:38:13 PDT 2021
;; MSG SIZE rcvd: 142

make test

Yes, make test was done and all results are "pass".

[dnsguru]

Closing, see #1439 - the DNS Validation portion of this is crucial to any changes in the 'ICANN section'. The time and focus / attention are appreciated @brian-peter-dickson - these can be re-opened if the NIC adds validation entries into the DNS so these can be verified.