Sentinel KSK Test

Running tests... this will take around 5 seconds...

This page uses the methods described in A Sentinel for Detecting Trusted Keys in DNSSEC to determine if the resolvers that you are using will work after the upcoming KSK roll.
You should really read the document, but the 50'000ft view is that it attempts to load resources from 3 names:

• "http://invalid.ksk-test.net/invalid.gif"
• "http://root-key-sentinel-is-ta-20326.ksk-test.net/is-ta.gif"
• "http://root-key-sentinel-not-ta-20326.ksk-test.net/not-ta.gif"

It then uses some simple logic to tell what your fate will be after the KSK roll:

1. If you are not using a validating resolver, you will be able to load the invalid record.
2. If you are using a validating resolver which does not understand this new mechanism you will be able to load both of the sentinel records: root-key-sentinel-is-ta-20326 and root-key-sentinel-not-ta-20326.
3. If you are using a resolver that supports this mechanism you will only be able to load one of the two sentinel records - which one tells you how you will fare in the rollover.

For more information about how to prepare for the Root Zone KSK Roll visit: https://www.icann.org/resources/pages/ksk-rollover or read this blog entry by SIDN.nl.
ICANN also keep a regularly updated list of IP addresses of resolvers suspected of not having install the new KSK; view this list here.

This work by Warren Kumari is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.