[ksk-rollover] new root trust anchor confirmation

Wessels, Duane dwessels at verisign.com
Thu Aug 10 18:03:42 UTC 2017

> On Aug 10, 2017, at 9:57 AM, Daisuke HIGASHI <daisuke.higashi at gmail.com> wrote:
>  Is there any method to confirm that my validator has accepted new
> root KSK trust anchor and can actually validates with new TA before 11
> Oct?

In general, no.

If you happen to run a recent unbound you could query your validator for 
trustanchor.unbound CH TXT

>  Any test records signed with _only_ new KSK in root zone?

This doesn't work.  Such a record would validate even if your trust anchor didn't get updated.


More information about the ksk-rollover mailing list