[dnssec-coord] Root KSK key roll postponed... anyone have more info?

Martin J. Levy mahtin at mahtin.com
Sun Oct 1 11:17:28 PDT 2017


Mark,

Fixed at the microphone at DNS-OARC27 on Friday. Even tweeted!

	Sebastian Castro (@secastro)
9/29/17, 10:08 AM
And @NLnetLabs just changed the RFC 8145 defaults in Unbound… reported at the mic #OARC27

It will take time to propagate a full release; however, you can help with upgrades for Southern Africa sometime soon.

Martin

> On Oct 1, 2017, at 10:51 AM, Mark Elkins <mje at posix.co.za> wrote:
> 
> I've read the slides. So newish versions of Unbound and Bind can expose
> what trust anchor keys they are using, which can be captured and
> documented. Cool - except Unbound doesn't switch this on by default. I'm
> not sure what has been measured though, or rather what the
> interpretation of the graphs show.
> 
> Newer versions of BIND config files include "dnssec-validation auto;"
> 
> So people are not updating their configs? They are not even using a
> "Managed" root KSK? (Their 'dnssec' portions of their BIND configs are
> over 5 years old!?)
> 
> I'm trying to raise awareness in South Africa as we already seem to have
> a high percentage of people using DNSSEC aware resolvers. Just need to
> make sure my understanding is correct.
> 
> -- 
> Mark James ELKINS  -  Posix Systems - (South) Africa
> mje at posix.co.za       Tel: +27.128070590  Cell: +27.826010496
> For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
> _______________________________________________
> dnssec-coord mailing list
> dnssec-coord at elists.isoc.org
> https://elists.isoc.org/mailman/listinfo/dnssec-coord
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://elists.isoc.org/pipermail/dnssec-coord/attachments/20171001/66211365/attachment.html>


More information about the dnssec-coord mailing list