<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 3/26/2015 11:26 AM, Olaf Kolkman
wrote:<br>
</div>
<blockquote cite="mid:B984EC47-C1EF-4A95-99F4-31629B841ED6@isoc.org"
type="cite">
<div class="markdown">
<p dir="auto">On 24 Mar 2015, at 23:27, David Conrad wrote:</p>
<blockquote>
<p dir="auto">On Tue, Mar 24, 2015 at 04:25:04PM -0400,
Michael StJohns wrote:</p>
<blockquote>
<blockquote>
<p dir="auto">One of the discussions we've been having
about 5011 roll overs is that<br>
there's no way to tell whether or not they are "taking"
because there's<br>
no way to check the resolvers externally.</p>
</blockquote>
<p dir="auto">Why do we need to check externally?</p>
</blockquote>
<p dir="auto">How can we (the folks who are responsible for
the KSK) tell if it is safe<br>
to revoke the old KSK?</p>
</blockquote>
<p dir="auto">With this mechanism only the open-resolvers would
be able to tell you. I would hope that is a minimal subset of
all the resolvers you'd like to test.</p>
</div>
</blockquote>
<br>
This is going to get you to a large proportion of servers that
serve the broadband home market. What it doesn't necessarily get
you are the commercial companies. OTOH those commercial
companies may be more likely to be actively managed.<br>
<br>
I was trying to figure out if some sort of "test me" web page could
be used to reflect this data back to some sort of collector.
*without* ending up with a DOS amplification attack. Or a mozilla
or other web browser extension that will do this check every 30 days
or so (with user permission and dump the data somewhere accessible).<br>
<br>
*sigh* Mike<br>
<br>
<br>
<br>
<blockquote cite="mid:B984EC47-C1EF-4A95-99F4-31629B841ED6@isoc.org"
type="cite">
<div class="markdown">
<p dir="auto">This would provide nice trouble-shooting
information for people 'inside' the recursive servers service
network, and not everybody has rndc permission, or runs BIND,
but it may not be that useful for the KSK signing folk.</p>
<p dir="auto">—Olaf</p>
<hr>
<p dir="auto">Olaf Kolkman<br>
Chief Internet Technology Officer<br>
Internet Society<br>
<a moz-do-not-send="true" href="mailto:kolkman@isoc.org">kolkman@isoc.org</a>
<a moz-do-not-send="true"
href="http://www.internetsociety.org">www.internetsociety.org</a></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
ksk-rollover mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ksk-rollover@icann.org">ksk-rollover@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/ksk-rollover">https://mm.icann.org/mailman/listinfo/ksk-rollover</a>
</pre>
</blockquote>
<br>
</body>
</html>