[Yeti DNS Discuss] 答复: The draft plan for next KSK rollover experiment

Davey Song(宋林健) ljsong at biigroup.cn
Thu Feb 16 10:02:52 UTC 2017

And we are finding out all alive resolvers in Yeti from traffic we collected. We can send queries as well, though not all of them are Public DNS ( open for all hosts )

发件人: discuss [mailto:discuss-bounces at lists.yeti-dns.org] 代表 Andreas Schulze
发送时间: 2017年2月15日 22:48
收件人: discuss at lists.yeti-dns.org
主题: Re: [Yeti DNS Discuss] The draft plan for next KSK rollover experiment

Am 15.02.2017 um 10:37 schrieb Davey Song(宋林健):
> Hopefully we can deliver some useful information before 2017-07-11 
> (when ICANN will publish the KSK into the root zone)


I installed a dedicated unbound resolver instance. It's purpose is to be monitored by my nagios hosts

unbound is configured to use the Warrens http://keyroll.systems:
	auto-trust-anchor-file: "trust/keyroll.systems-root-rfc5011.anchor"
	permit-small-holddown: yes
	add-holddown: 3600
		.        NS ns.root.
		ns.root. A

Nagios ask every 15minutes for ns.root and (I hope) akkept the answer only if DNSSEC validaion succeed This is the check:
	check_dig -l . -H $HOSTADDRESS$ -T NS -a ns.root -A +adflag

I guess it may be helpful to setup such a simila system to check also the Yeti-DNS right?


A. Schulze
discuss mailing list
discuss at lists.yeti-dns.org

More information about the discuss mailing list