From: Petr Špaček Date: Wed, 6 Feb 2019 10:53:25 +0000 (+0100) Subject: ta_signal_query: document its limitations X-Git-Tag: v4.0.0~42^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=156eecdb5321c2b72ddb17b7b318bdfb6822dafb;p=thirdparty%2Fknot-resolver.git ta_signal_query: document its limitations --- diff --git a/modules/ta_signal_query/README.rst b/modules/ta_signal_query/README.rst index 04ee1edce..ad1b345bc 100644 --- a/modules/ta_signal_query/README.rst +++ b/modules/ta_signal_query/README.rst @@ -18,5 +18,12 @@ of new keys. This is of particular interest for the DNS root zone in the event of key and/or algorithm rollovers that rely on :rfc:`5011` to automatically update a validating DNS resolver’s trust anchor. +.. attention:: + Experience from root zone KSK rollover in 2018 shows that this mechanism + by itself is not sufficient to reliably measure acceptance of the new key. + Nevertheless, some DNS researchers found it is useful in combination + with other data so we left it enabled for now. This default might change + once more information is available. + This module is enabled by default. You may use ``modules.unload('ta_signal_query')`` in your configuration.