diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 20:37:50 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-08 20:37:50 +0000 |
commit | c1f743ab2e4a7046d5500875a47d1f62c8624603 (patch) | |
tree | 709946d52f5f3bbaeb38be9e3f1d56d11f058237 /modules/ta_signal_query/README.rst | |
parent | Initial commit. (diff) | |
download | knot-resolver-c1f743ab2e4a7046d5500875a47d1f62c8624603.tar.xz knot-resolver-c1f743ab2e4a7046d5500875a47d1f62c8624603.zip |
Adding upstream version 5.7.1.upstream/5.7.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/ta_signal_query/README.rst')
-rw-r--r-- | modules/ta_signal_query/README.rst | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/modules/ta_signal_query/README.rst b/modules/ta_signal_query/README.rst new file mode 100644 index 0000000..3136ecb --- /dev/null +++ b/modules/ta_signal_query/README.rst @@ -0,0 +1,31 @@ +.. SPDX-License-Identifier: GPL-3.0-or-later + +.. _mod-ta_signal_query: + +Signaling Trust Anchor Knowledge in DNSSEC +========================================== + +The module for Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query, +implemented according to :rfc:`8145#section-5`. + +This feature allows validating resolvers to signal to authoritative servers +which keys are referenced in their chain of trust. The data from such +signaling allow zone administrators to monitor the progress of rollovers +in a DNSSEC-signed zone. + +This mechanism serve to measure the acceptance and use of new DNSSEC +trust anchors and key signing keys (KSKs). This signaling data can be +used by zone administrators as a gauge to measure the successful deployment +of new keys. This is of particular interest for the DNS root zone in the event +of key and/or algorithm rollovers that rely on :rfc:`5011` to automatically +update a validating DNS resolver’s trust anchor. + +.. attention:: + Experience from root zone KSK rollover in 2018 shows that this mechanism + by itself is not sufficient to reliably measure acceptance of the new key. + Nevertheless, some DNS researchers found it is useful in combination + with other data so we left it enabled for now. This default might change + once more information is available. + +This module is enabled by default. You may use ``modules.unload('ta_signal_query')`` +in your configuration. |