Sentinel KSK Test

tl;dr:

This page uses the methods described in A Sentinel for Detecting Trusted Keys in DNSSEC to determine if the resolvers that you are using will survive the upcoming KSK roll.
You should really read the document, but the 50'000ft view is that it attempts to load resources from 3 names:

It then uses some simple logic to tell what your fate will be after the KSK roll:

  1. If you are not using a validating resolver, you will be able to load the invalid record.
  2. If you are using a validating resolver which does not understand this new mechanism you will be able to load both of the sentinel records: root-key-sentinel-is-ta-20326 and root-key-sentinel-not-ta-20326.
  3. If you are using a resolver that supports this mechanism you will only be able to load one of the two sentinel records - which one tells you how you will fare in the rollover.


Creative Commons License
This work by Warren Kumari is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.