On 3/26/2015 11:26 AM, Olaf Kolkman wrote:

On 24 Mar 2015, at 23:27, David Conrad wrote:

On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:

One of the discussions we've been having about 5011 roll overs is that
there's no way to tell whether or not they are "taking" because there's
no way to check the resolvers externally.

Why do we need to check externally?

How can we (the folks who are responsible for the KSK) tell if it is safe
to revoke the old KSK?

With this mechanism only the open-resolvers would be able to tell you. I would hope that is a minimal subset of all the resolvers you'd like to test.

This is going to get you to a large proportion of servers that serve the broadband home market. What it doesn't necessarily get you are the commercial companies. OTOH those commercial companies may be more likely to be actively managed.

I was trying to figure out if some sort of "test me" web page could be used to reflect this data back to some sort of collector. *without* ending up with a DOS amplification attack. Or a mozilla or other web browser extension that will do this check every 30 days or so (with user permission and dump the data somewhere accessible).

*sigh* Mike

This would provide nice trouble-shooting information for people 'inside' the recursive servers service network, and not everybody has rndc permission, or runs BIND, but it may not be that useful for the KSK signing folk.

—Olaf

Olaf Kolkman
Chief Internet Technology Officer
Internet Society
kolkman@isoc.org www.internetsociety.org
_______________________________________________
ksk-rollover mailing list
ksk-rollover@icann.org
https://mm.icann.org/mailman/listinfo/ksk-rollover