[AusNOG] The root zone KSK has been rolled.

Terry Manderson terry at terrym.net
Fri Oct 12 09:21:17 EST 2018


It is true that the first symptoms will be seen within 48hrs (TTL).

Based on "lab" condition experiments the increase of ./IN/DNSKEY queries would be mostly evenly distributed within the period of the TTL (or half the TTL period depending on some cache's to refresh at half the TTL) as caches across the net are not all refreshed at the same time. I'm personally not expecting a cliff edge.

Since it's now 6 hours in, and I'm not seeing an increase of ./IN/DNSKEY at one particular root server, nor a swing to TCP, my resulting hypothesis is that things are looking OK. The downside of course is that minor issues or a small level of impact will be harder to see in the query volumes. (If I was a betting man, I might suggest that the hard to find issues will start to come out in a few weeks, or months, time when weird things pop up from someone hardcoding a trust anchor in to something, much like people using the address 1.1.1.1 because it is used in some documentation) 

That of course doesn't change my recommendation. That is, if someone does see an issue join the ksk-rollover mailing list and report it there (https://mm.icann.org/listinfo/ksk-rollover)

Cheers
Terry


> On 12 Oct 2018, at 7:46 am, Tom Paseka <tom at cloudflare.com> wrote:
> 
> It's a little early to call it. Let's give it a day or so before we see the TTLs expire ;)
> 
> -Tom
> 
> On Thu, Oct 11, 2018 at 10:41 AM Terry Manderson <terry at terrym.net> wrote:
> 
> Hi all,
> 
> Wearing a bit of a DNS hat on this email.
> 
> I'm sure you are all aware of this, especially those of you who are operating DNSSEC validating dns resolvers, the KSK was rolled at 1600 UTC (about 1.5 hours ago).
> 
> I'm watching from LA, and it looks to be a "Y2K" event.. i.e. it's just happened and there is "nothing to see here". Which, I think, many expected.
> 
> If in the rare chance you do see an issue, that is not related to a nameserver configuration misstep, do please join the ksk-rollover mailing list and report it there for discussion. 
> 
>         https://mm.icann.org/listinfo/ksk-rollover
> 
> Sleep well!
> 
> Cheers
> Terry
> 
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list