8-9 March 2018
Centro de Convenciones de Puerto Rico
America/Puerto_Rico timezone

Testing Resolver Implementations of RFC 5011 for the Root KSK Roll

9 Mar 2018, 10:30
209-BC (Centro de Convenciones de Puerto Rico)


Centro de Convenciones de Puerto Rico

100 Calle Guamaní San Juan 00907 Puerto Rico
Standard Presentation Public Workshop Public Workshop


Mr. Martin Hoffmann (Open Netlabs BV)


As part of the assessment of the risk of rolling the root zone’s KSK, Verisign commissioned us to performe tests of the implementation of RFC 5011 support in past and present releases of the three open source DNS resolvers Unbound, Bind, and Knot Resolver with regards to the possible sequences of the roll of the root trust anchor. They kindly allowed us to share our findings. The presentation will first show our methodology—we used CZnic’s Deckard to simulate the full time period of a key roll—and the various scenarios we tested, covering both successful key rolls and possible aborts after starting, as well as typical operational occurrences such as installation after the key roll started, resolver restarts during the roll, or non-writeable state directories. It will then discuss our findings for each of the resolvers and show how their RFC 5011 support developed over the various releases. As a conclusion, we will try to assess what these findings may mean for the success of a root KSK roll.
Talk Duration 30 Minutes

Primary authors

Mr. George Thessalonikefs (Open Netlabs BV) Mr. Martin Hoffmann (Open Netlabs BV)

Presentation Materials

Your browser is out of date!

Update your browser to view this website correctly. Update my browser now