DNS Root with accelerated, continually rolling KSK/ZSKs algorithms - LIVE
RLamb March 2023. Resurrected Last KSK Roll Mission.

notices

      8 May 2023 1500-2300 PDT: site down due to ISP outage
      11 Jan 2024 0000-23000 PDT: site down due to ISP outage
      

Root server current state indicated by red block in first row. ~60 seconds per slot
To test use resolver config unbound.conf.txt and root.hints.txt.

Set initial unbound.root.key.txt to:
.			12	IN	DNSKEY	257 3 8 AwEAAb8QjXc6OxNjXNUFS+dgRhopTaIgYyNrKo5y5m8eo55gfY5R7BQM aFkXWg1/4FmLaYhCUmSjUPscarzttklth+OvnXBbgdJCgCS2G5alKjXh /N5imu4NLI1P74BCPGc1+tnzl43H/xO+Xgk4VSGhRJQwJ1qyE1PIWQ0+ ynzb1QPi8fqHQVT7wgvHJ+pLPsyeRWOCPYGliI7A0E2P/i0IirOR2Lzl yhKjvMRL3GF0pQtcmdpRk7MRNbR3AYOwNrLR9P9LKkhPkVa31lCaBc0I jYjQaL1kpwS/O3XTt0vFJXnTUjdvD3EcIbjweKB0KZRdxaraXQAGHqK7 BKiwwEbKyec=

This works for me (you may need to change username/port/etc):
  wget http://a.moot-servers.net/unbound.conf.txt http://a.moot-servers.net/root.hints.txt http://a.moot-servers.net/unbound.root.key.txt; unbound -c unbound.conf.txt -d
Then do "dig"s against unbound and see it auto update unbound.root.key.txt

Notes:

• Squares contain key tag number-algorithm number. Rotates thru RSASHA256, ECDSAP256SHA256, ECDSAP384SHA384, ED25519
• Green: current ZSK; Yellow: next ZSK; Pink: current KSK; Orange: next KSK
• Red KSK has revoke bit set in DNSKEY
• Last row is "MSG SIZE" bytes from "dig @me +multi +dnssec -t dnskey ." / signed root zonefile size.
• LIVE Trust Anchors ( CSR cert newCSR newcert pkcs7 xml ) as per specification at here or here and draft-jabley-dnssec-trust-anchor
• FYI: Double signing could double the size of the root zone file.
• Accelerated test root is based on real root pulled down once a day.
• Please be nice and dont hit this site/dns too hard! I dont have infinite bandwidth.

Resolver notes:

Not only will you need to set root hints and keys to our test server, but you will also need to set your resolver specific setting for accelerated rfc5011 processing. See https://www.co.tt/files/icksk/ how to. These have likely changed since the first root key rollover. But as fodder for moving forward:

Unbound add-holddown: 175, del-holddown: 175. Do "cat unbound.root.key.txt" to see what Unbound thinks is valid (eg "[ VALID|APPEND|REVOKED ]" at the end of keys). watch out for algorithm downgrade attack protections when experimenting.	Works!
Windows Server 2016 and 2022 DNS HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters then Edit --> New --> DWORD and creating TestMode_AccelerateRFC5011Timing and setting the value to 1, and TestMode_AccelerateKeyRolloverTiming and set value to 1. See this. Version: "DNS Microsoft Corporation Version: 1.0"	Fails on Algorithm 15 ed25519
Bind start it with command line parameters like: named -c named.conf -T mkeytimers=1/6/180 with trust-anchors { } in named.conf. Youll see log entries like: managed-keys-zone: New key 5413 observed for zone '.': starting 30-day acceptance timer; Key 14116 for zone . is now trusted (acceptance timer complete); Trusted key 14244 for zone . is now revoked; Revoked key 14244 for zone . no longer present in DNSKEY RRset: deleting from managed keys database. (a script)	Works!
kresd trust_anchors.hold_down_time = 175 * sec, trust_anchors.refresh_time = 10 * sec, trust_anchors.keep_removed = 1