Hi,
I am an administrator of DNS resolvers to Djibouti Telecom.
I updated the root key to our DNS resolvers servers. Is there a way to tell if
DNSSEC is using the last trusted anchor ( Update on the Root KSK Rollover
Project) ?
# dig @127.0.0.1 dnssec-failed.org a +dnssec
Link: htt
On 03 Dec 2013, at 11:06, Tony Finch wrote:
> Roy Arends wrote:
>>
>> i.e. I never said that it doesn’t make sense to reduce validation
>> latency. On the contrary.
>>
>> I also said that it makes sense to complete the delegation chain first,
>> then complete the validation chain.
>
> But tho
Roy Arends wrote:
>
> i.e. I never said that it doesn’t make sense to reduce validation
> latency. On the contrary.
>
> I also said that it makes sense to complete the delegation chain first,
> then complete the validation chain.
But those two statements are a contradiction. The main opportunity
On 03 Dec 2013, at 10:06, Tony Finch wrote:
> Mark Andrews wrote:
>> Tony Finch wrote:
>>> Roy Arends wrote:
>>>
If that succeeds, only then validation makes sense.
>>>
>>> Why? Why not validate the chain of referrals as you follow them? The
>>> protocol is designed to support that othe
Mark Andrews wrote:
> Tony Finch wrote:
> > Roy Arends wrote:
> >
> > > If that succeeds, only then validation makes sense.
> >
> > Why? Why not validate the chain of referrals as you follow them? The
> > protocol is designed to support that otherwise it would not include the DS
> > in the refer
In message , Tony
Finch writes:
>
> =E2=9C=85 Roy Arends wrote:
Tony,
why did you put a WHITE HEAVY CHECK MARK before Roy's name?
As far as I can tell it is just extraneous noise being transmitted
for no benefit to anyone.
> > > So in the trace above, step (4) is redundant: the resolve
✅ Roy Arends wrote:
>
> > So in the trace above, step (4) is redundant: the resolver already
> > received the DS in step (1).
>
> In this case, yes. However, this is not consistent across all delegation
> points. As an example, UK and ORG.UK are hosted from the same set of
> servers. When asked ab
On 02 Dec 2013, at 12:23, Tony Finch wrote:
> Tangentially from the topic of draft-wouters-edns-tcp-chain-query, I have
> noticed a gap in performance between what BIND's validating resolver does
> and what the DNSSEC specifications allow.
>
> If I run the following commands to prepare the cache
Tangentially from the topic of draft-wouters-edns-tcp-chain-query, I have
noticed a gap in performance between what BIND's validating resolver does
and what the DNSSEC specifications allow.
If I run the following commands to prepare the cache ...
$ rndc flush
$ dig dnskey uk
$ dig dnskey ac.uk
.
