<html>
<body>
Lutz put that together after we had a long talk about whether the concept
of using dnssec-failed.org would serve to give people a level of comfort
about the rollover. He posted it to our DNSSEC wiki page.<br><br>
I didn't mention it in my message for a good reason. He need to change
the text displayed if your resolver is DNSSEC-enabled. He says:<br><br>
<h1><font size=6 color="#0000FF"><b>What will happen during the KSK
Rollover for you?</i></b></font></h1><font color="#0000FF"><b>Probably
nothing</b>, your resolver is <i>validating DNSSEC correctly</i>. Your
ISP seems to make a good job in DNSSEC. <br><br>
</font><font color="#FF0000"><b>That misses the entire point of this
issue.</b></font> If your resolver is NOT validating DNSSEC, then that is
the correct answer - you will be unaffected by the rollover.<br><br>
<font color="#FF0000"><b>But if it is validating DNSSEC, then you will be
ok ONLY IF THE SECOND TRUST ANCHOR IS INSTALLED. If it is not installed,
you will be blacked out. <br><br>
</b></font>This is the entire uncertainty we have been discussing - the
number of users who will find out they are DNSSEC enabled but not using
the then current key.<br><br>
What he should be saying here is that you reall need to contact your ISP
(or whoever provides your DNS) and verify that they know about the
rollover.<br><br>
So it is prettier, but it currently sends the wrong message. When it is
fixed, it will be a fine tool to tell people about.<br><br>
Alan<br><br>
At 29/03/2018 06:58 PM, Olivier MJ Crépin-Leblond wrote:<br><br>
<blockquote type=cite class=cite cite="">A better tool, probably because
it is a lot more self explanatory, developed by Lutz Donnerhacke, from
our EURALO ALS Förderverein Informationstechnik und Gesellschaft (FITUG)
e.V, is available at:
<a href="http://dnssec.donnerhacke.de/">http://dnssec.donnerhacke.de/</a>
<br><br>
Best,<br><br>
Olivier<br><br>
On 27/03/2018 19:41, Alan Greenberg wrote:<br>
<blockquote type=cite class=cite cite="">Please take a moment to go to
<a href="http://dnssec-failed.org">http://dnssec-failed.org</a>.
<br><br>
One of two things will happen: <br><br>
1. You will not be able to reach the site. <br><br>
or <br><br>
2. You will get a page on Comcast Network Management. <br><br>
If 2 is your result, the DNS resolver you are using is NOT DNSSEC-enabled
and the KSK Rollover will be invisible to you. <br><br>
If you will be on the ALAC meeting, please do this before the meeting so
you can report your results. <br><br>
Alan <br><br>
_______________________________________________ <br>
ALAC mailing list <br>
<a href="mailto:ALAC@atlarge-lists.icann.org">
ALAC@atlarge-lists.icann.org</a> <br>
<a href="https://atlarge-lists.icann.org/mailman/listinfo/alac" eudora="autourl">
https://atlarge-lists.icann.org/mailman/listinfo/alac</a> <br><br>
At-Large Online:
<a href="http://www.atlarge.icann.org">http://www.atlarge.icann.org</a>
<br>
ALAC Working Wiki:
<a href="https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)">
https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)</a>
<br>
</blockquote><br><br>
<pre>-- 
Olivier MJ Crépin-Leblond, PhD
<a href="http://www.gih.com/ocl.html">http://www.gih.com/ocl.html</a>
</pre><br>
Content-Type: text/plain; charset="us-ascii"<br>
Content-Transfer-Encoding: 7bit<br>
Content-Disposition: inline<br>
X-Microsoft-Exchange-Diagnostics:<br>
<x-tab>        </x-tab>
1;YTOPR01MB0396;27:UCTzWL1+OccLlrP+pYAIPPg/gS5PRFRUDfjenM/K0MydWHc3QBeRj4NGk81CTCO+34U/uI5HIanjG8J+lDk9sjS8P62+41dS1o8noGhl4TVsM02hLYjXFB7AUcHFRoVf<br>
X-Microsoft-Antispam-Message-Info:<br>
<x-tab>        </x-tab>
vkarBCxQyga7/s9BtTpxlJsaG64Q03hSWWz97kCKg7mwDc8kYcky0PX6Q6/PCq104eGskqMd/V18Fu3sGgqDBOG2OfeUTfP9LT2al3WuG8p6iRtQoe/QAUOIFZqG39xyCgRqaRCrU5TzkKz3WByjtwBHEwHIlE8jzP/fVIAC3M2I62ArFu2jA1FiaS+eObPu32ZeKj9UiGXFiQp3+dYA9ZvnQ2np9FoVaOWoY5OXsKbG34hhkaTMjevCKCFXQHHzRhibYjbSP9VJ07PBmaFIjrqDgBXCqu19cmguy3K5SVuXSUgAabS4rYJO4W3l70BfN5xrps8kuFJaGv+0J2QYh0yAXTMky2Vm/wYePFDer79YNh5JrWpYue1M+/v6PogGfZpDcG70EJcz0MHb1t/8I+7j32Zy1NopZFZ6z9kMc6k=<br>
<br>
_______________________________________________<br>
ALAC mailing list<br>
ALAC@atlarge-lists.icann.org<br>
<a href="https://atlarge-lists.icann.org/mailman/listinfo/alac" eudora="autourl">
https://atlarge-lists.icann.org/mailman/listinfo/alac</a><br><br>
At-Large Online:
<a href="http://www.atlarge.icann.org/" eudora="autourl">
http://www.atlarge.icann.org</a><br>
ALAC Working Wiki:
<a href="https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC" eudora="autourl">
https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC</a>
)</blockquote></body>
</html>