[ksk-rollover] 15 days into the add-hold for KSK-2017
Tony Finch
dot at dotat.at
Sat Jul 29 13:12:54 UTC 2017
Olaf Kolkman <kolkman at isoc.org> wrote:
> Is there any advice we can give to resolver ops in a month or so? Like
> check your trust anchor it should now contain <blob>?
I wrote some brief BIND-specific advice for my colleagues at
https://jackdaw.cam.ac.uk/ipreg/nsconfig/dnssec-validation.html
ISC.org have a longer and more comprehensive version
https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bind-users/
It mentions contrib/scripts/check5011.pl which I wrote some years ago,
tho beware it has a parsing bug that fails with some versions of dig
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=ed2659c9747d917a3cbec336790e7583056bc563
I'm not aware that Unbound has similar tools for diagnosing its 5011
state, though JP Mens has a write-up which suggests its trust anchor file
is readable enough by itself.
http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/
Maybe something similar is true for the Knot resolver?
http://knot-resolver.readthedocs.io/en/stable/daemon.html#enabling-dnssec
PowerDNS relies on manual configuration and/or software updates to get new
built-in trust anchors.
https://doc.powerdns.com/recursor/dnssec.html#trust-anchor-management
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Forties: Southwest 4 or 5, decreasing 3 at times, backing southeast 5 to 7,
then becoming cyclonic 6 to gale 8, perhaps severe gale 9 later. Slight,
becoming moderate or rough. Showers then rain. Good, occasionally moderate.
More information about the ksk-rollover
mailing list