[dns-operations] Root Key Sentinel - current state of affairs?

Geoff Huston gih at apnic.net
Fri Jul 9 07:18:48 UTC 2021

These are good questions Ondrej.

As Roy pointed out its not clear if you are referring to the 
“inward” signalling of RFC8145 or the response-based signalling of 

In the first roll one of the big questions was “who sees the roll” and the
intent of RFC8509 was to jump in between the addition of the new key to the root zone
and the actual roll to see the extent to which validating resolvers had
seen the incoming key and added it to their local trusted key set. 

Given the way RFC8509 works there is little point performing the measurement prior
to the provisioning including of the incoming key in the root zone, so there is 
no point in gathering data at present except to calibrate the measurement 
to understand the extent to which resolvers recognise the “special processing”
case of the two labels defined in RFC8509.

So I guess that frpm APNIC Lab’s perspective the RFC8509 measurement work starts
in earnest once a schedule for the next RZ KSK roll is proposed.


> On 23 Jun 2021, at 5:10 pm, Ondřej Surý <ondrej at isc.org> wrote:
> Hi,
> during the last RZ KSK rollover we scrambled to add the Root Key Sentinel
> to the code and as far as I know it did give us different data than was expected.
> So, my current question is:
> - is it still useful?
> - will it be useful for the next RZ KSK rollover?
> - is anybody gathering the data right now?
> - is anybody planning to gather the data before the next RZ KSK rollover?
> Thanks,
> Ondrej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list