[Yeti DNS Discuss] The draft plan for next KSK rollover experiment

Andreas Schulze andreas.schulze at datev.de
Wed Feb 15 14:48:17 UTC 2017


Am 15.02.2017 um 10:37 schrieb Davey Song(宋林健):
> Hopefully we can deliver some useful information before 2017-07-11 (when ICANN will publish the KSK into the root zone)

Hello,

I installed a dedicated unbound resolver instance. It's purpose is to be monitored by my nagios hosts

unbound is configured to use the Warrens http://keyroll.systems:
	auto-trust-anchor-file: "trust/keyroll.systems-root-rfc5011.anchor"
	permit-small-holddown: yes
	add-holddown: 3600
	root-hints:
		.        NS ns.root.
		ns.root. A  204.42.252.20

Nagios ask every 15minutes for ns.root and (I hope) akkept the answer only if DNSSEC validaion succeed
This is the check:
	check_dig -l . -H $HOSTADDRESS$ -T NS -a ns.root -A +adflag


I guess it may be helpful to setup such a simila system to check also the Yeti-DNS
right?

Andreas



-- 
A. Schulze
DATEV eG


More information about the discuss mailing list