Signaling Trust Anchor Knowledge in DNSSEC¶
The module for Signaling Trust Anchor Knowledge in DNSSEC Using Key Tag Query,implemented according toRFC 8145#section-5.
This feature allows validating resolvers to signal to authoritative serverswhich keys are referenced in their chain of trust. The data from suchsignaling allow zone administrators to monitor the progress of rolloversin a DNSSEC-signed zone.
This mechanism serve to measure the acceptance and use of new DNSSECtrust anchors and key signing keys (KSKs). This signaling data can beused by zone administrators as a gauge to measure the successful deploymentof new keys. This is of particular interest for the DNS root zone in the eventof key and/or algorithm rollovers that rely onRFC 5011 to automaticallyupdate a validating DNS resolver’s trust anchor.
Attention
Experience from root zone KSK rollover in 2018 shows that this mechanismby itself is not sufficient to reliably measure acceptance of the new key.Nevertheless, some DNS researchers found it is useful in combinationwith other data so we left it enabled for now. This default might changeonce more information is available.
This module is enabled by default. You may usemodules.unload('ta_signal_query')in your configuration.