[ksk-rollover] resolvers with KSK-2010 only working as forwarders
Petr Špaček
petr.spacek at nic.cz
Wed Nov 7 13:42:59 UTC 2018
Hello,
here is one more wild guess/attempt to explain KSK-2010 only resolvers:
Some of resolvers which RFC8145-report having only KSK-2010 [1] might be
used as forwarders in some larger DNS caching topology, e.g. inside a
company networks.
Recent versions of Knot Resolver and I believe also Unbound set CD
(Checking Disabled) bit when forwarding queries to another resolver, so
intermediary resolver with KSK-2010 only would not cause resolution
failure on these "leaf" resolvers.
I seriously doubt this can explain all of KSK-2010 only resolvers but it
might be a contributing factor.
[1] http://root-trust-anchor-reports.research.icann.org/
--
Petr Špaček @ CZ.NIC
More information about the ksk-rollover
mailing list