[dns-operations] Root Key Sentinel - current state of affairs?
Moritz Müller
moritz.muller at sidn.nl
Thu Jun 24 14:11:20 UTC 2021
Hi,
We’ve looked at root sentinel data (RFC 8509) in our study of the Root KSK rollover but back then it was not widely deployed [1].
According to [2] support is rising slowly, so it might be more useful before the next rollover.
So personally, from a research point of view, I would not abandon it yet even though the signal must be interpreted with care.
—
Moritz
[1] Roll Roll Roll Your Root: A Comprehensive Analysis of the First Ever DNSSEC Root KSK Rollover https://www.sidnlabs.nl/downloads/3mSYgcR3dYeCZvMQItOS1G/0b898a6a4407a64d52401b302fb098d5/author_version.pdf
[2] https://dnsthought.nlnetlabs.nl/#ta_20326
> On 23 Jun 2021, at 15:23, Roy Arends <roy at dnss.ec> wrote:
>
> Hi Ondrej
>
>> On 23 Jun 2021, at 08:10, Ondřej Surý <ondrej at isc.org> wrote:
>>
>> Hi,
>>
>> during the last RZ KSK rollover we scrambled to add the Root Key Sentinel
>> to the code and as far as I know it did give us different data than was expected.
>
> I am going to assume you are referring to RFC8145 (Signaling Trust Anchor Knowledge in DNSSEC) and not RFC8509 (A Root Key Trust Anchor Sentinel for DNSSEC). My apologies if you meant the latter, as I have no information on that.
>
>> So, my current question is:
>>
>> - is it still useful?
>
> Personally, I find it interesting data, but I currently have no business case for it.
>
>> - will it be useful for the next RZ KSK rollover?
>
> It may be.
>
>> - is anybody gathering the data right now?
>
> We (the Office of the CTO at ICANN) received accumulated stats from Root Server Operators before and during the last rollover. We do not receive them currently. While we have access to IMRS traffic data, we do not currently process RFC8145 signals.
>
>> - is anybody planning to gather the data before the next RZ KSK rollover?
>
> I am going to assume that that is going to happen.
>
> Hope this helps!
>
> Warmly,
>
> Roy
>
>
>>
>> Thanks,
>> Ondrej
>> --
>> Ondřej Surý (He/Him)
>> ondrej at isc.org
>>
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210624/f3b695d8/attachment.sig>
More information about the dns-operations
mailing list