We should also note that it takes time for Let's Encrypt to respond to changes to the Publix Suffix List.
After the PSL has been updated, Let's Encrypt needs to pull in these changes (this currently happens on the first day of each month, so next scheduled update is on September 1st), and then a new Boulder release will need to be deployed with that change, which can take up to around two weeks in suboptimal cases).
In any case, if the registry plans to let this domain go live soon, the corresponding PR to the PSL should be made ASAP. There is also a certain authentication procedure to be followed by a registry's representative, but that's not Let's Encrypt related.
Basically you need someone to create a PR, then create a TXT record that references the PR to prove control of the root. On top of that, the register should publish something on their site, and the account connected to the PR should ideally be referenced in the root zone database (Root Zone Database) ,
Having ICANN do this doesn't make sense, because a registry might not want the domain to be included in the PSL as-is. For example, many TLDs don't allow public registrations unless it's on a partitioned subdomain (e.g. .uk vs .com.uk)
Well, not directly. Boulder has all its dependencies stored in the /vendor/ directory, so it requires manual updating..
Another reason to hate the Go dependency system if you'd ask me.. Requiring a copy of all dependencies is just silly IMO. I'm not even sure how that's possible with all kinds of different licenses et cetera.
There is a monthly job which updates it, but a human still reviews and merges the automatically opened pull request to update the version. We can also trigger that job manually if needed, such as if we want to get the new ישראל TLD deployed during August before the Sept 1 job runs. There usually isn't any urgency to PSL updates though.