[ksk-rollover] Running code: draft-ietf-dnsop-kskroll-sentinel-00 in Knot Resolver 2.0.0
Petr Špaček
petr.spacek at nic.cz
Thu Feb 1 08:15:01 UTC 2018
Hello,
draft-ietf-dnsop-kskroll-sentinel-00 is now implemented in Knot Resolver
version 2.0.0 [1] which was released yesterday, and it is enabled by
default.
To make things more interesting, version 2.0.0 also has implementation
of RFC 8198 Aggressive Use of DNSSEC-Validated Cache, which effectively
means that RFC 8145 signaling queries sent by something using our
resolver are not going to reach root because they will be blocked by the
aggressive cache.
Oh well. As I said earlier, I think we are not going to have reliable
data in upcomming years, so let's generate some PR and treat KSK-2017
roll as one of many security issues - it will be fixed like any other
security issue.
[1] Knot Resolver
https://www.knot-resolver.cz/
https://www.knot-resolver.cz/2018-01-31-knot-resolver-2.0.0.html
--
Petr Špaček @ CZ.NIC
More information about the ksk-rollover
mailing list