[ksk-rollover] RFC 8145 interaction with Aggressive DNSSEC cache

Petr Špaček petr.spacek at nic.cz
Wed Jul 25 08:51:25 UTC 2018


here is one additional caveat about RFC 8145 signaling which I did not
see mentioned anywhere:

As long as RR "_TA-4A5C-4F66. NULL" does not exist in the root zone, any
resolver which implements RFC 8145 (signaling) together with either of
- Aggressive Use of DNSSEC-Validated Cache (RFC 8198)
- Decreasing Access Time to Root Servers by Running One on Loopback (RFC
is likely not to send signaling queries to the root.

If the resolver implemented only RFC 8198 it might send query from time
to time but it very much depends on state of its cache and cannot be
relied on. RFC 7706 stops signaling queries altogether.

The problem with aggressive cache could be solved by adding the _TA
records to the root but I'm not sure if it is worth the effort.

Are there any results using the KSK root sentinel method?

Petr Špaček  @  CZ.NIC

More information about the ksk-rollover mailing list