Lutz put that together after we had a long talk about whether the concept of using dnssec-failed.org would serve to give people a level of comfort about the rollover. He posted it to our DNSSEC wiki page. I didn't mention it in my message for a good reason. He need to change the text displayed if your resolver is DNSSEC-enabled. He says: What will happen during the KSK Rollover for you? Probably nothing, your resolver is validating DNSSEC correctly. Your ISP seems to make a good job in DNSSEC. That misses the entire point of this issue. If your resolver is NOT validating DNSSEC, then that is the correct answer - you will be unaffected by the rollover. But if it is validating DNSSEC, then you will be ok ONLY IF THE SECOND TRUST ANCHOR IS INSTALLED. If it is not installed, you will be blacked out. This is the entire uncertainty we have been discussing - the number of users who will find out they are DNSSEC enabled but not using the then current key. What he should be saying here is that you reall need to contact your ISP (or whoever provides your DNS) and verify that they know about the rollover. So it is prettier, but it currently sends the wrong message. When it is fixed, it will be a fine tool to tell people about. Alan At 29/03/2018 06:58 PM, Olivier MJ Crépin-Leblond wrote:
A better tool, probably because it is a lot more self explanatory, developed by Lutz Donnerhacke, from our EURALO ALS Förderverein Informationstechnik und Gesellschaft (FITUG) e.V, is available at: <http://dnssec.donnerhacke.de/>http://dnssec.donnerhacke.de/
Best,
Olivier
On 27/03/2018 19:41, Alan Greenberg wrote:
Please take a moment to go to <http://dnssec-failed.org>http://dnssec-failed.org.
One of two things will happen:
1. You will not be able to reach the site.
or
2. You will get a page on Comcast Network Management.
If 2 is your result, the DNS resolver you are using is NOT DNSSEC-enabled and the KSK Rollover will be invisible to you.
If you will be on the ALAC meeting, please do this before the meeting so you can report your results.
Alan
_______________________________________________ ALAC mailing list <mailto:ALAC@atlarge-lists.icann.org>ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac
At-Large Online: <http://www.atlarge.icann.org>http://www.atlarge.icann.org ALAC Working Wiki: <https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)>https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)
-- Olivier MJ Crépin-Leblond, PhD <http://www.gih.com/ocl.html>http://www.gih.com/ocl.html
Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Microsoft-Exchange-Diagnostics:
1;YTOPR01MB0396;27:UCTzWL1+OccLlrP+pYAIPPg/gS5PRFRUDfjenM/K0MydWHc3QBeRj4NGk81CTCO+34U/uI5HIanjG8J+lDk9sjS8P62+41dS1o8noGhl4TVsM02hLYjXFB7AUcHFRoVf X-Microsoft-Antispam-Message-Info:
vkarBCxQyga7/s9BtTpxlJsaG64Q03hSWWz97kCKg7mwDc8kYcky0PX6Q6/PCq104eGskqMd/V18Fu3sGgqDBOG2OfeUTfP9LT2al3WuG8p6iRtQoe/QAUOIFZqG39xyCgRqaRCrU5TzkKz3WByjtwBHEwHIlE8jzP/fVIAC3M2I62ArFu2jA1FiaS+eObPu32ZeKj9UiGXFiQp3+dYA9ZvnQ2np9FoVaOWoY5OXsKbG34hhkaTMjevCKCFXQHHzRhibYjbSP9VJ07PBmaFIjrqDgBXCqu19cmguy3K5SVuXSUgAabS4rYJO4W3l70BfN5xrps8kuFJaGv+0J2QYh0yAXTMky2Vm/wYePFDer79YNh5JrWpYue1M+/v6PogGfZpDcG70EJcz0MHb1t/8I+7j32Zy1NopZFZ6z9kMc6k=
_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac
At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...)