Hello, draft-ietf-dnsop-kskroll-sentinel-00 is now implemented in Knot Resolver version 2.0.0 [1] which was released yesterday, and it is enabled by default. To make things more interesting, version 2.0.0 also has implementation of RFC 8198 Aggressive Use of DNSSEC-Validated Cache, which effectively means that RFC 8145 signaling queries sent by something using our resolver are not going to reach root because they will be blocked by the aggressive cache. Oh well. As I said earlier, I think we are not going to have reliable data in upcomming years, so let's generate some PR and treat KSK-2017 roll as one of many security issues - it will be fixed like any other security issue. [1] Knot Resolver https://www.knot-resolver.cz/ https://www.knot-resolver.cz/2018-01-31-knot-resolver-2.0.0.html -- Petr Špaček @ CZ.NIC