horok/knot-resolver
1
0
Fork 0
Code Activity
knot-resolver/modules/ta_signal_query/README.rst
Daniel Baumann fbc604e215
Adding upstream version 5.7.5. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-21 13:56:17 +02:00

31 lines
1.4 KiB
ReStructuredText
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.. SPDX-License-Identifier: GPL-3.0-or-later
.. _mod-ta_signal_query:
Signaling Trust Anchor Knowledge in DNSSEC
==========================================
The module for Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query,
implemented according to :rfc:`8145#section-5`.
This feature allows validating resolvers to signal to authoritative servers
which keys are referenced in their chain of trust. The data from such
signaling allow zone administrators to monitor the progress of rollovers
in a DNSSEC-signed zone.
This mechanism serve to measure the acceptance and use of new DNSSEC
trust anchors and key signing keys (KSKs). This signaling data can be
used by zone administrators as a gauge to measure the successful deployment
of new keys. This is of particular interest for the DNS root zone in the event
of key and/or algorithm rollovers that rely on :rfc:`5011` to automatically
update a validating DNS resolvers trust anchor.
.. attention::
Experience from root zone KSK rollover in 2018 shows that this mechanism
by itself is not sufficient to reliably measure acceptance of the new key.
Nevertheless, some DNS researchers found it is useful in combination
with other data so we left it enabled for now. This default might change
once more information is available.
This module is enabled by default. You may use ``modules.unload('ta_signal_query')``
in your configuration.
View git blame Copy permalink