<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>Mark,</div><div><br></div><div>Fixed at the microphone at DNS-OARC27 on Friday. Even tweeted!</div><div><br></div><div><table style="border: 1px solid black; padding: 8px;"><tbody><tr valign="bottom"><td width="48"><span style="background-color: rgba(255, 255, 255, 0);"><img src="https://pbs.twimg.com/profile_images/996959369/profile-in-prague_normal.JPG" style="width: 48px; height: 48px; padding-right: 8px;"></span></td><td><b style="background-color: rgba(255, 255, 255, 0);">Sebastian Castro (<a href="https://twitter.com/secastro?refsrc=email&s=11">@secastro</a>)</b></td></tr><tr><td colspan="2"><div><a href="https://twitter.com/secastro/status/913812852825137152?refsrc=email&s=11" style="background-color: rgba(255, 255, 255, 0);"><font color="#000000">9/29/17, 10:08 AM</font></a></div><div><span style="background-color: rgba(255, 255, 255, 0);">And <a href="https://twitter.com/NLnetLabs">@NLnetLabs</a> just changed the RFC 8145 defaults in Unbound… reported at the mic <a href="https://twitter.com/search?q=%23OARC27&src=hash">#OARC27</a></span></div></td></tr></tbody></table></div><div><br></div><div>It will take time to propagate a full release; however, you can help with upgrades for Southern Africa sometime soon.</div><div><br></div><div>Martin</div><div><br>On Oct 1, 2017, at 10:51 AM, Mark Elkins <<a href="mailto:mje@posix.co.za">mje@posix.co.za</a>> wrote:<br><br></div><blockquote type="cite"><div><span>I've read the slides. So newish versions of Unbound and Bind can expose</span><br><span>what trust anchor keys they are using, which can be captured and</span><br><span>documented. Cool - except Unbound doesn't switch this on by default. I'm</span><br><span>not sure what has been measured though, or rather what the</span><br><span>interpretation of the graphs show.</span><br><span></span><br><span>Newer versions of BIND config files include "dnssec-validation auto;"</span><br><span></span><br><span>So people are not updating their configs? They are not even using a</span><br><span>"Managed" root KSK? (Their 'dnssec' portions of their BIND configs are</span><br><span>over 5 years old!?)</span><br><span></span><br><span>I'm trying to raise awareness in South Africa as we already seem to have</span><br><span>a high percentage of people using DNSSEC aware resolvers. Just need to</span><br><span>make sure my understanding is correct.</span><br><span></span><br><span>-- </span><br><span>Mark James ELKINS  -  Posix Systems - (South) Africa</span><br><span><a href="mailto:mje@posix.co.za">mje@posix.co.za</a>       Tel: +27.128070590  Cell: +27.826010496</span><br><span>For fast, reliable, low cost Internet in ZA: <a href="https://ftth.posix.co.za">https://ftth.posix.co.za</a></span><br><span>_______________________________________________</span><br><span>dnssec-coord mailing list</span><br><span><a href="mailto:dnssec-coord@elists.isoc.org">dnssec-coord@elists.isoc.org</a></span><br><span><a href="https://elists.isoc.org/mailman/listinfo/dnssec-coord">https://elists.isoc.org/mailman/listinfo/dnssec-coord</a></span><br></div></blockquote></body></html>