[ksk-change] How to tell which trust anchors are present at a DNS resolver.

Olaf Kolkman kolkman at isoc.org
Thu Mar 26 15:26:11 UTC 2015

On 24 Mar 2015, at 23:27, David Conrad wrote:

> On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:
>>> One of the discussions we've been having about 5011 roll overs is that
>>> there's no way to tell whether or not they are "taking" because there's
>>> no way to check the resolvers externally.
>> Why do we need to check externally?
> How can we (the folks who are responsible for the KSK) tell if it is safe
> to revoke the old KSK?

With this mechanism only the open-resolvers would be able to tell you. I would hope that is a minimal subset of all the resolvers you'd like to test.

This would provide nice trouble-shooting information for people 'inside' the recursive servers service network, and not everybody has rndc permission, or runs BIND, but it may not be that useful for the KSK signing folk.


- - -
Olaf Kolkman
Chief Internet Technology Officer
Internet Society
kolkman at isoc.org  www.internetsociety.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20150326/54e7845c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 846 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20150326/54e7845c/signature.asc>

More information about the ksk-rollover mailing list