[ksk-change] How to tell which trust anchors are present at a DNS resolver.

Michael StJohns msj at nthpermutation.com
Thu Mar 26 21:45:01 UTC 2015 

On 3/26/2015 11:26 AM, Olaf Kolkman wrote:
>
> On 24 Mar 2015, at 23:27, David Conrad wrote:
>
>     On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:
>
>             One of the discussions we've been having about 5011 roll
>             overs is that
>             there's no way to tell whether or not they are "taking"
>             because there's
>             no way to check the resolvers externally.
>
>         Why do we need to check externally?
>
>     How can we (the folks who are responsible for the KSK) tell if it
>     is safe
>     to revoke the old KSK?
>
> With this mechanism only the open-resolvers would be able to tell you. 
> I would hope that is a minimal subset of all the resolvers you'd like 
> to test.
>

This is going to get you to a large proportion  of servers that serve 
the broadband home market.  What it doesn't necessarily get you are the 
commercial companies.      OTOH those commercial companies may be more 
likely to be actively managed.

I was trying to figure out if some sort of "test me" web page could be 
used to reflect this data back to some sort of collector. *without* 
ending up with a DOS amplification attack.    Or a mozilla or other web 
browser extension that will do this check every 30 days or so (with user 
permission and dump the data somewhere accessible).

*sigh* Mike



> This would provide nice trouble-shooting information for people 
> 'inside' the recursive servers service network, and not everybody has 
> rndc permission, or runs BIND, but it may not be that useful for the 
> KSK signing folk.
>
> —Olaf
>
> ------------------------------------------------------------------------
>
> Olaf Kolkman
> Chief Internet Technology Officer
> Internet Society
> kolkman at isoc.org <mailto:kolkman at isoc.org> www.internetsociety.org 
> <http://www.internetsociety.org>
>
>
>
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20150326/625c5eb7/attachment.html>

More information about the ksk-rollover mailing list