from 29 September 2017 to 3 October 2017
Fairmont San Jose
US/Pacific timezone
Home > Timetable > Session details > Contribution details

Contribution Standard Presentation

Fairmont San Jose - Regency 2 Ballroom
Public Workshop

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover

Speakers

  • Duane WESSELS

Primary authors

Content

RFC 8145 ("Signaling Trust Anchor Knowledge") was published in April 2017. This RFC describes how recursive name servers can signal, to authoritative servers, the trust anchors that they have configured for Domain Name System Security Extensions (DNSSEC) validation. Shortly after its publication, both Unbound and BIND implemented the specification. As organizations begin to deploy the new software versions, some of this “key tag data” is now appearing in queries to the root name servers.

This is useful data for Key Signing Key (KSK) rollovers, and especially for the root. Since the feature is very new, the number of recursive name servers providing data is not as significant as one might like for the upcoming root KSK rollover. Even so, it will be interesting to look at the data. By examining this data we can understand whether or not the technique works and hopefully inspire further adoption in advance of future KSK rollovers.

Talk Duration

30 Minutes