[ksk-rollover] resolvers with KSK-2010 only working as forwarders

Petr Špaček petr.spacek at nic.cz
Wed Nov 7 13:42:59 UTC 2018


here is one more wild guess/attempt to explain KSK-2010 only resolvers:

Some of resolvers which RFC8145-report having only KSK-2010 [1] might be
used as forwarders in some larger DNS caching topology, e.g. inside a
company networks.

Recent versions of Knot Resolver and I believe also Unbound set CD
(Checking Disabled) bit when forwarding queries to another resolver, so
intermediary resolver with KSK-2010 only would not cause resolution
failure on these "leaf" resolvers.

I seriously doubt this can explain all of KSK-2010 only resolvers but it
might be a contributing factor.

[1] http://root-trust-anchor-reports.research.icann.org/

Petr Špaček  @  CZ.NIC

More information about the ksk-rollover mailing list