On 7/26/17, 11:37, "Wes Hardaker" <wjhns1@hardakers.net> wrote: Edward Lewis <edward.lewis@icann.org> writes: > RFC-5011 following servers ought to be about halfway to trusting > KSK-2017 about this day (unless they're being attacked :-) Note the "ought to be" ... i.e., if not halfway, maybe they are being attacked. ;)

Olaf Kolkman <kolkman@isoc.org> wrote:

Is there any advice we can give to resolver ops in a month or so? Like check your trust anchor it should now contain <blob>?

I wrote some brief BIND-specific advice for my colleagues at https://jackdaw.cam.ac.uk/ipreg/nsconfig/dnssec-validation.html ISC.org have a longer and more comprehensive version https://www.isc.org/blogs/2017-root-key-rollover-what-does-it-mean-for-bind-... It mentions contrib/scripts/check5011.pl which I wrote some years ago, tho beware it has a parsing bug that fails with some versions of dig https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=ed2659c... I'm not aware that Unbound has similar tools for diagnosing its 5011 state, though JP Mens has a write-up which suggests its trust anchor file is readable enough by itself. http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/ Maybe something similar is true for the Knot resolver? http://knot-resolver.readthedocs.io/en/stable/daemon.html#enabling-dnssec PowerDNS relies on manual configuration and/or software updates to get new built-in trust anchors. https://doc.powerdns.com/recursor/dnssec.html#trust-anchor-management Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode Forties: Southwest 4 or 5, decreasing 3 at times, backing southeast 5 to 7, then becoming cyclonic 6 to gale 8, perhaps severe gale 9 later. Slight, becoming moderate or rough. Showers then rain. Good, occasionally moderate.