[ksk-change] How to tell which trust anchors are present at a DNS resolver.
David Conrad
david.conrad at icann.org
Wed Mar 25 04:27:53 UTC 2015
Evan,
>On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:
>> One of the discussions we've been having about 5011 roll overs is that
>> there's no way to tell whether or not they are "taking" because there's
>> no way to check the resolvers externally.
>
>Why do we need to check externally?
How can we (the folks who are responsible for the KSK) tell if it is safe
to revoke the old KSK?
>(For that matter what exactly do
>you mean by "externally"?
>From a non-local vantage point.
>Most resolvers won't answer queries from outside
>their local networks anyway.)
There is that.
Regards,
-drc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4673 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20150325/0cbfced8/smime-0001.p7s>
More information about the ksk-rollover
mailing list