On 24 Mar 2015, at 23:27, David Conrad wrote:

On Tue, Mar 24, 2015 at 04:25:04PM -0400, Michael StJohns wrote:

One of the discussions we've been having about 5011 roll overs is that
there's no way to tell whether or not they are "taking" because there's
no way to check the resolvers externally.

Why do we need to check externally?

How can we (the folks who are responsible for the KSK) tell if it is safe
to revoke the old KSK?

With this mechanism only the open-resolvers would be able to tell you. I would hope that is a minimal subset of all the resolvers you'd like to test.

This would provide nice trouble-shooting information for people 'inside' the recursive servers service network, and not everybody has rndc permission, or runs BIND, but it may not be that useful for the KSK signing folk.

—Olaf

---

Olaf Kolkman
Chief Internet Technology Officer
Internet Society
kolkman@isoc.org www.internetsociety.org