[ksk-rollover] RFC 8145 interaction with Aggressive DNSSEC cache

Petr Špaček petr.spacek at nic.cz
Thu Jul 26 06:23:48 UTC 2018

On 25.7.2018 21:08, Geoff Huston wrote:
> It seems to me that the best action right now is to deprecate
> RFC 8145 and move on. As far as I can tell its only value is generating
> a garbled signal at the roots and a garbled signal is indistinguishable
> from noise - obviously this is a personal oipinion!
> I have not launched any tests of the root sentinel method as yet - I was 
> waiting to see the fate of the IETF publication process, but is is worth
> the question on this list: Which resolver vendors have implemented the 
> KSK sentinel and integrated it into deployed resolver code releases?

Draft-14 is implemented in Knot Resolver 2.4.0 and enabled by default.
Older versions implement older versions of the draft.

Petr Špaček  @  CZ.NIC

> Geoff
>> On 25 Jul 2018, at 6:51 pm, Petr Špaček <petr.spacek at nic.cz> wrote:
>> Hello,
>> here is one additional caveat about RFC 8145 signaling which I did not
>> see mentioned anywhere:
>> As long as RR "_TA-4A5C-4F66. NULL" does not exist in the root zone, any
>> resolver which implements RFC 8145 (signaling) together with either of
>> - Aggressive Use of DNSSEC-Validated Cache (RFC 8198)
>> - Decreasing Access Time to Root Servers by Running One on Loopback (RFC
>> 7706)
>> is likely not to send signaling queries to the root.
>> If the resolver implemented only RFC 8198 it might send query from time
>> to time but it very much depends on state of its cache and cannot be
>> relied on. RFC 7706 stops signaling queries altogether.
>> The problem with aggressive cache could be solved by adding the _TA
>> records to the root but I'm not sure if it is worth the effort.
>> Are there any results using the KSK root sentinel method?
>> -- 
>> Petr Špaček  @  CZ.NIC

More information about the ksk-rollover mailing list