[ALAC] DNSSEC KSK Rollover test

Alan Greenberg alan.greenberg at mcgill.ca
Fri Mar 30 01:28:46 UTC 2018


Lutz put that together after we had a long talk 
about whether the concept of using 
dnssec-failed.org would serve to give people a 
level of comfort about the rollover. He posted it to our DNSSEC wiki page.

I didn't mention it in my message for a good 
reason. He need to change the text displayed if 
your resolver is DNSSEC-enabled. He says:


What will happen during the KSK Rollover for you?

Probably nothing, your resolver is validating 
DNSSEC correctly. Your ISP seems to make a good job in DNSSEC.

That misses the entire point of this issue. If 
your resolver is NOT validating DNSSEC, then that 
is the correct answer - you will be unaffected by the rollover.

But if it is validating DNSSEC, then you will be 
ok ONLY IF THE SECOND TRUST ANCHOR IS INSTALLED. 
If it is not installed, you will be blacked out.

This is the entire uncertainty we have been 
discussing - the number of users who will find 
out they are DNSSEC enabled but not using the then current key.

What he should be saying here is that you reall 
need to contact your ISP (or whoever provides 
your DNS) and verify that they know about the rollover.

So it is prettier, but it currently sends the 
wrong message. When it is fixed, it will be a fine tool to tell people about.

Alan

At 29/03/2018 06:58 PM, Olivier MJ Crépin-Leblond wrote:

>A better tool, probably because it is a lot more 
>self explanatory, developed by Lutz Donnerhacke, 
>from our EURALO ALS Förderverein 
>Informationstechnik und Gesellschaft (FITUG) 
>e.V, is available at: 
><http://dnssec.donnerhacke.de/>http://dnssec.donnerhacke.de/
>
>Best,
>
>Olivier
>
>On 27/03/2018 19:41, Alan Greenberg wrote:
>>Please take a moment to go to 
>><http://dnssec-failed.org>http://dnssec-failed.org.
>>
>>One of two things will happen:
>>
>>1. You will not be able to reach the site.
>>
>>or
>>
>>2. You will get a page on Comcast Network Management.
>>
>>If 2 is your result, the DNS resolver you are 
>>using is NOT DNSSEC-enabled and the KSK Rollover will be invisible to you.
>>
>>If you will be on the ALAC meeting, please do 
>>this before the meeting so you can report your results.
>>
>>Alan
>>
>>_______________________________________________
>>ALAC mailing list
>><mailto:ALAC at atlarge-lists.icann.org>ALAC at atlarge-lists.icann.org
>>https://atlarge-lists.icann.org/mailman/listinfo/alac
>>
>>At-Large Online: <http://www.atlarge.icann.org>http://www.atlarge.icann.org
>>ALAC Working Wiki: 
>><https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)>https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)
>
>
>--
>Olivier MJ Crépin-Leblond, PhD
><http://www.gih.com/ocl.html>http://www.gih.com/ocl.html
>
>Content-Type: text/plain; charset="us-ascii"
>Content-Transfer-Encoding: 7bit
>Content-Disposition: inline
>X-Microsoft-Exchange-Diagnostics:
> 
>1;YTOPR01MB0396;27:UCTzWL1+OccLlrP+pYAIPPg/gS5PRFRUDfjenM/K0MydWHc3QBeRj4NGk81CTCO+34U/uI5HIanjG8J+lDk9sjS8P62+41dS1o8noGhl4TVsM02hLYjXFB7AUcHFRoVf
>X-Microsoft-Antispam-Message-Info:
> 
>vkarBCxQyga7/s9BtTpxlJsaG64Q03hSWWz97kCKg7mwDc8kYcky0PX6Q6/PCq104eGskqMd/V18Fu3sGgqDBOG2OfeUTfP9LT2al3WuG8p6iRtQoe/QAUOIFZqG39xyCgRqaRCrU5TzkKz3WByjtwBHEwHIlE8jzP/fVIAC3M2I62ArFu2jA1FiaS+eObPu32ZeKj9UiGXFiQp3+dYA9ZvnQ2np9FoVaOWoY5OXsKbG34hhkaTMjevCKCFXQHHzRhibYjbSP9VJ07PBmaFIjrqDgBXCqu19cmguy3K5SVuXSUgAabS4rYJO4W3l70BfN5xrps8kuFJaGv+0J2QYh0yAXTMky2Vm/wYePFDer79YNh5JrWpYue1M+/v6PogGfZpDcG70EJcz0MHb1t/8I+7j32Zy1NopZFZ6z9kMc6k=
>
>_______________________________________________
>ALAC mailing list
>ALAC at atlarge-lists.icann.org
>https://atlarge-lists.icann.org/mailman/listinfo/alac
>
>At-Large Online: http://www.atlarge.icann.org
>ALAC Working Wiki: 
>https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/alac/attachments/20180329/d9770cca/attachment.html>


More information about the ALAC mailing list