[Yeti DNS Discuss] 答复: The draft plan for next KSK rollover experiment

Davey Song(宋林健) ljsong at biigroup.cn
Thu Feb 16 09:32:57 UTC 2017


Yes. We have similar idea to make query with DO bit set to test the validation failure event.

Different from http://keyroll.systems, we honor the timers specified in RFC5011. 

Davey

-----邮件原件-----
发件人: discuss [mailto:discuss-bounces at lists.yeti-dns.org] 代表 Andreas Schulze
发送时间: 2017年2月15日 22:48
收件人: discuss at lists.yeti-dns.org
主题: Re: [Yeti DNS Discuss] The draft plan for next KSK rollover experiment

Am 15.02.2017 um 10:37 schrieb Davey Song(宋林健):
> Hopefully we can deliver some useful information before 2017-07-11 
> (when ICANN will publish the KSK into the root zone)

Hello,

I installed a dedicated unbound resolver instance. It's purpose is to be monitored by my nagios hosts

unbound is configured to use the Warrens http://keyroll.systems:
	auto-trust-anchor-file: "trust/keyroll.systems-root-rfc5011.anchor"
	permit-small-holddown: yes
	add-holddown: 3600
	root-hints:
		.        NS ns.root.
		ns.root. A  204.42.252.20

Nagios ask every 15minutes for ns.root and (I hope) akkept the answer only if DNSSEC validaion succeed This is the check:
	check_dig -l . -H $HOSTADDRESS$ -T NS -a ns.root -A +adflag


I guess it may be helpful to setup such a simila system to check also the Yeti-DNS right?

Andreas



--
A. Schulze
DATEV eG
_______________________________________________
discuss mailing list
discuss at lists.yeti-dns.org
http://lists.yeti-dns.org/mailman/listinfo/discuss





More information about the discuss mailing list