[ksk-rollover] 15 days into the add-hold for KSK-2017

Tony Finch dot at dotat.at
Sat Jul 29 13:12:54 UTC 2017

Olaf Kolkman <kolkman at isoc.org> wrote:

> Is there any advice we can give to resolver ops in a month or so? Like
> check your trust anchor it should now contain <blob>?

I wrote some brief BIND-specific advice for my colleagues at

ISC.org have a longer and more comprehensive version
It mentions contrib/scripts/check5011.pl which I wrote some years ago,
tho beware it has a parsing bug that fails with some versions of dig

I'm not aware that Unbound has similar tools for diagnosing its 5011
state, though JP Mens has a write-up which suggests its trust anchor file
is readable enough by itself.

Maybe something similar is true for the Knot resolver?

PowerDNS relies on manual configuration and/or software updates to get new
built-in trust anchors.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Forties: Southwest 4 or 5, decreasing 3 at times, backing southeast 5 to 7,
then becoming cyclonic 6 to gale 8, perhaps severe gale 9 later. Slight,
becoming moderate or rough. Showers then rain. Good, occasionally moderate.

More information about the ksk-rollover mailing list