On 17.1.2018 02:19, Paul Hoffman wrote:
On Jan 16, 2018, at 12:48 PM, Bob Harold <rharolde@umich.edu> wrote:
As I understand it, draft-huston-kskroll-sentinel could be set up by one person.
That doesn't match my understanding from the draft or the clarification that Warren sent to the DNSOP WG yesterday. It has to be installed and configured in resolvers first, and then the test can be run by one person who can get folks to hit a web page or download some JavaScript.
Warren, do I have that correctly?
I will reply even though I'm not Warren: Yes, this is correct, it needs support in every validating resolver. In other words, this mechanism suffers from the very same upgrade problem as RFC 8145. I've implemented a prototype of draft-huston-kskroll-sentinel for Knot Resolver, but later I've realized that whatever we do is largely irrelevant when it comes to collecting reliable data for *this* KSK roll. We should go ahead and implement draft-huston-kskroll-sentinel but I do not see it giving us data for KSK-2017 roll. This is how I arrived to conclusion that KSK-2017 will inevitably involve some out-of-band fixes and press coverage, similarly to any other security issue these days. -- Petr Špaček @ CZ.NIC