[ksk-change] How to tell which trust anchors are present at a DNS resolver.

David Conrad david.conrad at icann.org
Wed Mar 25 04:27:53 UTC 2015


>On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:
>> One of the discussions we've been having about 5011 roll overs is that
>> there's no way to tell whether or not they are "taking" because there's
>> no way to check the resolvers externally.
>Why do we need to check externally?

How can we (the folks who are responsible for the KSK) tell if it is safe
to revoke the old KSK?

>(For that matter what exactly do
>you mean by "externally"?

>From a non-local vantage point.

>Most resolvers won't answer queries from outside
>their local networks anyway.)

There is that.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4673 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20150325/0cbfced8/smime-0001.p7s>

More information about the ksk-rollover mailing list