[dns-operations] Why roll the KSK? (was Sad news today: systemd-resolved to be deployed in Ubuntu 16.10)

David Conrad drc at virtualized.org
Tue Jun 7 00:36:09 UTC 2016

On Jun 6, 2016, at 3:33 PM, Paul Vixie <vixie at tisf.net> wrote:
>>> yeti-dns is about to start its first KSK roll experiment, using RFC 5011. i expect to be enlightened, one way or the other, by the results.
>> Any idea how many validating resolvers will be participating in the experiment?
> a couple dozen.

I'll be interested in the outcomes.

>> Out of curiosity, how is it different than http://keyroll.systems or https://icksk.dnssek.info/fauxroot.html?
> i don't know anything about those.

They've been in operation continuously since the ICANN LA meeting in 2014 in which we had a validating resolver vendor workshop. Beyond the workshop and encouraging resolver operators to try experiment with them, we haven't been particularly vocal about their existence. Something we'll be remedying as part of the KSK rollover testing plan.

(speaking only for myself)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160606/1c99fc9f/attachment.sig>

More information about the dns-operations mailing list