[ksk-rollover] RFC 8145 interaction with Aggressive DNSSEC cache
petr.spacek at nic.cz
Wed Jul 25 08:51:25 UTC 2018
here is one additional caveat about RFC 8145 signaling which I did not
see mentioned anywhere:
As long as RR "_TA-4A5C-4F66. NULL" does not exist in the root zone, any
resolver which implements RFC 8145 (signaling) together with either of
- Aggressive Use of DNSSEC-Validated Cache (RFC 8198)
- Decreasing Access Time to Root Servers by Running One on Loopback (RFC
is likely not to send signaling queries to the root.
If the resolver implemented only RFC 8198 it might send query from time
to time but it very much depends on state of its cache and cannot be
relied on. RFC 7706 stops signaling queries altogether.
The problem with aggressive cache could be solved by adding the _TA
records to the root but I'm not sure if it is worth the effort.
Are there any results using the KSK root sentinel method?
Petr Špaček @ CZ.NIC
More information about the ksk-rollover