[ksk-rollover] Running code: draft-ietf-dnsop-kskroll-sentinel-00 in Knot Resolver 2.0.0

Petr Špaček petr.spacek at nic.cz
Thu Feb 1 08:15:01 UTC 2018


draft-ietf-dnsop-kskroll-sentinel-00 is now implemented in Knot Resolver
version 2.0.0 [1] which was released yesterday, and it is enabled by

To make things more interesting, version 2.0.0 also has implementation
of RFC 8198 Aggressive Use of DNSSEC-Validated Cache, which effectively
means that RFC 8145 signaling queries sent by something using our
resolver are not going to reach root because they will be blocked by the
aggressive cache.

Oh well. As I said earlier, I think we are not going to have reliable
data in upcomming years, so let's generate some PR and treat KSK-2017
roll as one of many security issues - it will be fixed like any other
security issue.

[1] Knot Resolver

Petr Špaček  @  CZ.NIC

More information about the ksk-rollover mailing list