[dnssec-coord] Root KSK key roll postponed... anyone have more info?

Mark Elkins mje at posix.co.za
Sun Oct 1 10:51:13 PDT 2017


I've read the slides. So newish versions of Unbound and Bind can expose
what trust anchor keys they are using, which can be captured and
documented. Cool - except Unbound doesn't switch this on by default. I'm
not sure what has been measured though, or rather what the
interpretation of the graphs show.

Newer versions of BIND config files include "dnssec-validation auto;"

So people are not updating their configs? They are not even using a
"Managed" root KSK? (Their 'dnssec' portions of their BIND configs are
over 5 years old!?)

I'm trying to raise awareness in South Africa as we already seem to have
a high percentage of people using DNSSEC aware resolvers. Just need to
make sure my understanding is correct.

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za


More information about the dnssec-coord mailing list