Changes in 0db9436: Pick some typo, language and formatting nits

				howto/GRE-plus-IPsec.md
			
          @@ -7,8 +7,8 @@

           * It's supported by hardware routers.

           ## Why IPsec?

          -* GRE provides no encryption and authentication of it's own.

          -* IPsec in implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces.

          +* GRE provides no encryption or authentication of its own.

          +* IPsec is implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces.

           ## Problems with GRE

           * GRE is defined directly on top of IP.

				howto/IPsec-on-FreeBSD.md
			
          @@ -8,8 +8,8 @@ These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPs

           * At least one static IPv4 on at least one endpoint unless you hate yourself.

           ## Kernel configuration

          -The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.

          -If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.

          +The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add these two lines to your kernel config and (re-)build your own kernel.

          +If you're new to FreeBSD, check chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.

           ```conf

           options   IPSEC        #IP security

           device    crypto

          @@ -19,7 +19,7 @@ Reboot into your new kernel.

           ## Userland configuration

           Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.

          -Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.

          +Racoon is pain in the ass to configure the first time because its error messages aren't helping and the complexity of IPsec. Don't let this stop you.

           ```conf

           path    pre_shared_key  "/usr/local/etc/racoon/psk";

           path    certificate     "/usr/local/etc/racoon/certs";

				howto/IPsecWithPublicKeys/OpenBSDExample.md
			
          @@ -7,17 +7,17 @@ Here be dragons. This section should cover the basics:

           # Key generation and distribution

           ## Using pre-generated keys

          -OpenBSD generates keys suitables for IPSec usage during the installation. The public key can be found in `/etc/isakmpd/local.pub`

          +OpenBSD generates keys suitable for IPSec usage during installation. The public key can be found in `/etc/isakmpd/local.pub`.

           ## Generating your own keys

           If you don't want to use a pre-generated key, refer to [isakmpd(8)](http://man.openbsd.org/isakmpd.8#X.509_AUTHENTICATION).

           ## Distributing keys

          -Send your public key to your peer, preferrably digitally signed. A signature can be created with `gpg -sb -a local.pub` and checked with `gpg --verify local.pub.asc`. Since the key is not private, it can be transmitted in the open and on a public forum, such as a Pastebin service.

          +Send your public key to your peer, preferably digitally signed. A signature can be created with `gpg -sb -a local.pub` and checked with `gpg --verify local.pub.asc`. Since the key is not private, it can be transmitted in the open and on a public forum, such as a Pastebin service.

          -Once your peer sent you their public key, it under `/etc/isakmpd/pubkeys/fqdn`, `/etc/isakmpd/pubkeys/ipv4` or `/etc/isakmpd/ipv6`, depending on the ID type the peer is using. The key file should be named after the peers ID. For example, if your peer is `1.3.3.7`, you place their public key under `/etc/isakmpd/pubkeys/ipv4/1.3.3.7`.

          +Once your peer sent you their public key, put it under `/etc/isakmpd/pubkeys/fqdn`, `/etc/isakmpd/pubkeys/ipv4` or `/etc/isakmpd/pubkeys/ipv6`, depending on the ID type the peer is using. The key file should be named after the peer ID. For example, if your peer is `1.3.3.7`, you place their public key under `/etc/isakmpd/pubkeys/ipv4/1.3.3.7`.

          -If your peers public key is not in PEM format, you can use [pubkey-converter](https://dn42.us/git/user/ryan/pubkey-converter.git/plain/pubkey-converter.pl) to convert between key formats.

          +If your peer's public key is not in PEM format, you can use [pubkey-converter](https://dn42.us/git/user/ryan/pubkey-converter.git/plain/pubkey-converter.pl) to convert between key formats.

           # IPSec Setup

           Change the value of the `isakmpd_flags` variable in [`/etc/rc.conf.local`](http://man.openbsd.org/rc.conf.local.8) to `"-K"`, or add the `"-K"` flag if you already have flags in there.

				howto/IPv6.md
			
          @@ -50,13 +50,13 @@ Just set it up like you would usually. Any IPv4 connection going through the pro

           In order to maintain backward compatibility, a number of methods have been used to be able to reach IPv4 space from IPv6. NAT-PT was deprecated, so this mostly leaves us with NAT64.

           NAT64 simply consists in embedding IPv4 addresses after an IPv6 prefix, and mapping the whole prefix to the whole of IPv4 space. Thanksfully, that's easily doable because we have 128-bit wide addresses in IPv6. As the name implies, we however have to perform Dynamic-NAT on the IPv4 side to squeeze all the incoming v6 space in v4 addresses (though it should be possible to run 1-1 mappings, but in that case, why not get a v4 address and NAT to it to begin with?)

          -Currently, NAT64 support in DN42 is non-existant, though there are ongoing experimentations with it. Technically, it is possible to announce a global anycast prefix for NAT64, allowing seamless IPv4 connectivity from any properly configured IPv6 host, or any using the DNS64 (which can also be setup on the anycast servers).

          +Currently, NAT64 support in DN42 is non-existent, though there are ongoing experimentations with it. Technically, it is possible to announce a global anycast prefix for NAT64, allowing seamless IPv4 connectivity from any properly configured IPv6 host, or any using the DNS64 (which can also be set up on the anycast servers).

          -DNS64 itself simply allow to synthetizes AAAA records from the received usual A records. Because DNS runs at the transport level and does not care for Layer 3 triffles, this is a service that you can run on your Nameserver even without being Dual-Stack capable. (TODO: DNS64 Howto with BIND9)

          +DNS64 itself simply allows to synthesize AAAA records from the received usual A records. Because DNS runs at the transport level and does not care for Layer 3 trifles, this is a service that you can run on your nameserver even without being dual-stack capable. (TODO: DNS64 Howto with BIND9)

           As such, any address that can only resolve to IPv4 will now also resolve to an address corresponding to it through the NAT64 prefix.

           ## Routing to Internet and DN42

          -So now that you've got IPv6 setup for DN42, you'd like to start using it on the Internet aswell. Or maybe you already do. But how to use your services on both public Internet and DN42 ?

          +So now that you've got IPv6 setup for DN42, you'd like to start using it on the Internet as well. Or maybe you already do. But how to use your services on both public Internet and DN42 ?

           ### With NPT

           A first approach is to use NPT: Network Prefix Translation. Yes, this sounds a lot like NAT, but fear not: it does not have most of its problems as it is fully stateless. Initially, the purpose of NPT was to allow multi-homing without an ASN: how can you be reachable through several prefixes allocated by different ISPs ? The IPv6-way of doing it would be to assign multiple addresses from the multiple prefixes to all your nodes, but isn't that just too complicated ?

				services/New-DNS.md
			
          @@ -16,10 +16,10 @@ The new DNS system has two different components:

           * *.delegation-servers.dn42 and *.master.delegation-servers.dn42 are a normal master-slave setup for providing the few official infrastructural zones.

           ## *.recursive-servers.dn42

          -These are simple resolvers capable of resolving dn42 domains. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is also the global anycast a.recursive-servers.dn42 which includes some/all other instances. Whether an *.recursive-servers.dn42 can resolve clearnet queries or not is decided by its operator but all a.recursive-servers.dn42 instances MUST resolve clearnet queries correctly. It is explicitely not supported to use clearnet nservers for dn42 zones and dn42 nservers for clearnet zones.

          +These are simple resolvers capable of resolving dn42 domains. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is also the global anycast a.recursive-servers.dn42 which includes some/all other instances. Whether an *.recursive-servers.dn42 can resolve clearnet queries or not is decided by its operator but all a.recursive-servers.dn42 instances MUST resolve clearnet queries correctly. It is explicitly not supported to use clearnet nservers for dn42 zones and dn42 nservers for clearnet zones.

           ## *.delegation-servers.dn42

          -These are simple authoritative servers for the dn42 zone, rDNS and a few DNS infrastruture zones. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is no anycast instance because that would make debugging much harder and *.recursive-servers.dn42 instances should do loadbalancing/failover across all instances listed in the registry.

          +These are simple authoritative servers for the dn42 zone, rDNS and a few DNS infrastructure zones. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is no anycast instance because that would make debugging much harder and *.recursive-servers.dn42 instances should do loadbalancing/failover across all instances listed in the registry.

           ## *.master.delegation-servers.dn42

           These instances do not serve any clients. They poll the registry regularly and rebuild and resign (DNSSEC) the zones as needed. If any zone changes, all *.delegation-servers.dn42 instances are notified ([RFC1996](https://tools.ietf.org/html/rfc1996)) which then load the new zone data over AXFR ([RFC5936](https://tools.ietf.org/html/rfc5936)). The pool of masters is intentionally kept very small because of its much higher coordination needs and also the lacking support of a multi-master mode in many authoritative server implementations. The masters are only reachable over dedicated IPv6 assignments which are set up in a way that any master operator can hijack the address of a problematic master without having to wait for its operator to fix something.

          @@ -41,7 +41,7 @@ burble is providing monitoring for the new DNS system. It does simple checks on 

           Also, gatuno provides another simple [dns checker for all the top level domains](http://gatuno.dn42/dns/) in the registry. If you want to check whatever a domain is resolving or not, this tool may be useful. The tool gets in sync with the registry every 12 hours. You can schedule checks for any domain.

           # DNSSEC

          -There are currently two KSKs managed by BURBLE-MNT and JRB0001-MNT. They are used once per quarter to sign the DNSKEY RRset. Each master operator has one ZSK which is used to sign the zones (except for the DNSKEY RRset). This setup leads to bigger responses but allows each KSK holder to solve emergencies independently. The signatures of the DNSKEY RRset are valid until the end of the first month of the next quarter to give enough time for coordinating the next siging. All other signatures are valid for 3 days and replaced at least once per day.

          +There are currently two KSKs managed by BURBLE-MNT and JRB0001-MNT. They are used once per quarter to sign the DNSKEY RRset. Each master operator has one ZSK which is used to sign the zones (except for the DNSKEY RRset). This setup leads to bigger responses but allows each KSK holder to solve emergencies independently. The signatures of the DNSKEY RRset are valid until the end of the first month of the next quarter to give enough time for coordinating the next signing. All other signatures are valid for 3 days and replaced at least once per day.

           The set of valid KSKs can be found in the registry.

				services/dns/Configuration.md
			
          @@ -314,9 +314,13 @@ All the examples here list 172.20.129.1/fd42:4242:2601:ac53::1, but users are en

           multiple services from *.delegation-servers.dn42 for redundancy.

           ## Dnssec

          -All delegation servers have DNSSEC support and all record are signed, for more information about DNSSEC visit [New-DNS#dnssec](/services/New-DNS#dnssec).

          +All delegation servers have DNSSEC support and all records are signed.

          +For more information about DNSSEC visit [New-DNS#dnssec](/services/New-DNS#dnssec).

          -Following is a list of links to the DS record for TLD and reverse zone, to configure the key file, extract the value of ds-rdata and format it as follows, you must add all ds-rdata to the key file for dnssec to work. P.S. each ds-rdata or DS record should contain 4 numbers.

          +Below is a list of links to the DS record for TLD and reverse zone.

          +To configure the key file, extract the value of ds-rdata and format it as follows.

          +You must add all ds-rdata to the key file for DNSSEC to work.

          +NB: each ds-rdata or DS record should contain 4 numbers.

           This is an example for dn42. and (fake) ds-rdata of 1 2 3 456

           ```conf

          @@ -400,6 +404,4 @@ stub-zone:

           	name: "d.f.ip6.arpa"

           	stub-addr: fd42:4242:2601:ac53::1

           	stub-addr: 172.20.129.1

          -

           ```

          -

...	...	@@ -314,9 +314,13 @@ All the examples here list 172.20.129.1/fd42:4242:2601:ac53::1, but users are en
314	314	multiple services from *.delegation-servers.dn42 for redundancy.
315	315
316	316	## Dnssec
317		-All delegation servers have DNSSEC support and all record are signed, for more information about DNSSEC visit [New-DNS#dnssec](/services/New-DNS#dnssec).
	317	+All delegation servers have DNSSEC support and all records are signed.
	318	+For more information about DNSSEC visit [New-DNS#dnssec](/services/New-DNS#dnssec).
318	319
319		-Following is a list of links to the DS record for TLD and reverse zone, to configure the key file, extract the value of ds-rdata and format it as follows, you must add all ds-rdata to the key file for dnssec to work. P.S. each ds-rdata or DS record should contain 4 numbers.
	320	+Below is a list of links to the DS record for TLD and reverse zone.
	321	+To configure the key file, extract the value of ds-rdata and format it as follows.
	322	+You must add all ds-rdata to the key file for DNSSEC to work.
	323	+NB: each ds-rdata or DS record should contain 4 numbers.
320	324
321	325	This is an example for dn42. and (fake) ds-rdata of 1 2 3 456
322	326	```conf
...	...	@@ -400,6 +404,4 @@ stub-zone:
400	404	name: "d.f.ip6.arpa"
401	405	stub-addr: fd42:4242:2601:ac53::1
402	406	stub-addr: 172.20.129.1
403		-
404	407	```
405		-

...	...	@@ -7,8 +7,8 @@
7	7	* It's supported by hardware routers.
8	8
9	9	## Why IPsec?
10		-* GRE provides no encryption and authentication of it's own.
11		-* IPsec in implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces.
	10	+* GRE provides no encryption or authentication of its own.
	11	+* IPsec is implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces.
12	12
13	13	## Problems with GRE
14	14	* GRE is defined directly on top of IP.

...	...	@@ -8,8 +8,8 @@ These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPs
8	8	* At least one static IPv4 on at least one endpoint unless you hate yourself.
9	9
10	10	## Kernel configuration
11		-The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
12		-If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
	11	+The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add these two lines to your kernel config and (re-)build your own kernel.
	12	+If you're new to FreeBSD, check chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
13	13	```conf
14	14	options IPSEC #IP security
15	15	device crypto
...	...	@@ -19,7 +19,7 @@ Reboot into your new kernel.
19	19	## Userland configuration
20	20
21	21	Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
22		-Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
	22	+Racoon is pain in the ass to configure the first time because its error messages aren't helping and the complexity of IPsec. Don't let this stop you.
23	23	```conf
24	24	path pre_shared_key "/usr/local/etc/racoon/psk";
25	25	path certificate "/usr/local/etc/racoon/certs";

...	...	@@ -7,17 +7,17 @@ Here be dragons. This section should cover the basics:
7	7
8	8	# Key generation and distribution
9	9	## Using pre-generated keys
10		-OpenBSD generates keys suitables for IPSec usage during the installation. The public key can be found in `/etc/isakmpd/local.pub`
	10	+OpenBSD generates keys suitable for IPSec usage during installation. The public key can be found in `/etc/isakmpd/local.pub`.
11	11
12	12	## Generating your own keys
13	13	If you don't want to use a pre-generated key, refer to [isakmpd(8)](http://man.openbsd.org/isakmpd.8#X.509_AUTHENTICATION).
14	14
15	15	## Distributing keys
16		-Send your public key to your peer, preferrably digitally signed. A signature can be created with `gpg -sb -a local.pub` and checked with `gpg --verify local.pub.asc`. Since the key is not private, it can be transmitted in the open and on a public forum, such as a Pastebin service.
	16	+Send your public key to your peer, preferably digitally signed. A signature can be created with `gpg -sb -a local.pub` and checked with `gpg --verify local.pub.asc`. Since the key is not private, it can be transmitted in the open and on a public forum, such as a Pastebin service.
17	17
18		-Once your peer sent you their public key, it under `/etc/isakmpd/pubkeys/fqdn`, `/etc/isakmpd/pubkeys/ipv4` or `/etc/isakmpd/ipv6`, depending on the ID type the peer is using. The key file should be named after the peers ID. For example, if your peer is `1.3.3.7`, you place their public key under `/etc/isakmpd/pubkeys/ipv4/1.3.3.7`.
	18	+Once your peer sent you their public key, put it under `/etc/isakmpd/pubkeys/fqdn`, `/etc/isakmpd/pubkeys/ipv4` or `/etc/isakmpd/pubkeys/ipv6`, depending on the ID type the peer is using. The key file should be named after the peer ID. For example, if your peer is `1.3.3.7`, you place their public key under `/etc/isakmpd/pubkeys/ipv4/1.3.3.7`.
19	19
20		-If your peers public key is not in PEM format, you can use [pubkey-converter](https://dn42.us/git/user/ryan/pubkey-converter.git/plain/pubkey-converter.pl) to convert between key formats.
	20	+If your peer's public key is not in PEM format, you can use [pubkey-converter](https://dn42.us/git/user/ryan/pubkey-converter.git/plain/pubkey-converter.pl) to convert between key formats.
21	21
22	22	# IPSec Setup
23	23	Change the value of the `isakmpd_flags` variable in [`/etc/rc.conf.local`](http://man.openbsd.org/rc.conf.local.8) to `"-K"`, or add the `"-K"` flag if you already have flags in there.

...	...	@@ -50,13 +50,13 @@ Just set it up like you would usually. Any IPv4 connection going through the pro
50	50	In order to maintain backward compatibility, a number of methods have been used to be able to reach IPv4 space from IPv6. NAT-PT was deprecated, so this mostly leaves us with NAT64.
51	51	NAT64 simply consists in embedding IPv4 addresses after an IPv6 prefix, and mapping the whole prefix to the whole of IPv4 space. Thanksfully, that's easily doable because we have 128-bit wide addresses in IPv6. As the name implies, we however have to perform Dynamic-NAT on the IPv4 side to squeeze all the incoming v6 space in v4 addresses (though it should be possible to run 1-1 mappings, but in that case, why not get a v4 address and NAT to it to begin with?)
52	52
53		-Currently, NAT64 support in DN42 is non-existant, though there are ongoing experimentations with it. Technically, it is possible to announce a global anycast prefix for NAT64, allowing seamless IPv4 connectivity from any properly configured IPv6 host, or any using the DNS64 (which can also be setup on the anycast servers).
	53	+Currently, NAT64 support in DN42 is non-existent, though there are ongoing experimentations with it. Technically, it is possible to announce a global anycast prefix for NAT64, allowing seamless IPv4 connectivity from any properly configured IPv6 host, or any using the DNS64 (which can also be set up on the anycast servers).
54	54
55		-DNS64 itself simply allow to synthetizes AAAA records from the received usual A records. Because DNS runs at the transport level and does not care for Layer 3 triffles, this is a service that you can run on your Nameserver even without being Dual-Stack capable. (TODO: DNS64 Howto with BIND9)
	55	+DNS64 itself simply allows to synthesize AAAA records from the received usual A records. Because DNS runs at the transport level and does not care for Layer 3 trifles, this is a service that you can run on your nameserver even without being dual-stack capable. (TODO: DNS64 Howto with BIND9)
56	56	As such, any address that can only resolve to IPv4 will now also resolve to an address corresponding to it through the NAT64 prefix.
57	57
58	58	## Routing to Internet and DN42
59		-So now that you've got IPv6 setup for DN42, you'd like to start using it on the Internet aswell. Or maybe you already do. But how to use your services on both public Internet and DN42 ?
	59	+So now that you've got IPv6 setup for DN42, you'd like to start using it on the Internet as well. Or maybe you already do. But how to use your services on both public Internet and DN42 ?
60	60
61	61	### With NPT
62	62	A first approach is to use NPT: Network Prefix Translation. Yes, this sounds a lot like NAT, but fear not: it does not have most of its problems as it is fully stateless. Initially, the purpose of NPT was to allow multi-homing without an ASN: how can you be reachable through several prefixes allocated by different ISPs ? The IPv6-way of doing it would be to assign multiple addresses from the multiple prefixes to all your nodes, but isn't that just too complicated ?

...	...	@@ -16,10 +16,10 @@ The new DNS system has two different components:
16	16	* .delegation-servers.dn42 and .master.delegation-servers.dn42 are a normal master-slave setup for providing the few official infrastructural zones.
17	17
18	18	## *.recursive-servers.dn42
19		-These are simple resolvers capable of resolving dn42 domains. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is also the global anycast a.recursive-servers.dn42 which includes some/all other instances. Whether an *.recursive-servers.dn42 can resolve clearnet queries or not is decided by its operator but all a.recursive-servers.dn42 instances MUST resolve clearnet queries correctly. It is explicitely not supported to use clearnet nservers for dn42 zones and dn42 nservers for clearnet zones.
	19	+These are simple resolvers capable of resolving dn42 domains. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is also the global anycast a.recursive-servers.dn42 which includes some/all other instances. Whether an *.recursive-servers.dn42 can resolve clearnet queries or not is decided by its operator but all a.recursive-servers.dn42 instances MUST resolve clearnet queries correctly. It is explicitly not supported to use clearnet nservers for dn42 zones and dn42 nservers for clearnet zones.
20	20
21	21	## *.delegation-servers.dn42
22		-These are simple authoritative servers for the dn42 zone, rDNS and a few DNS infrastruture zones. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is no anycast instance because that would make debugging much harder and *.recursive-servers.dn42 instances should do loadbalancing/failover across all instances listed in the registry.
	22	+These are simple authoritative servers for the dn42 zone, rDNS and a few DNS infrastructure zones. Every operator gets a single letter name pointing to addresses assigned from their own address space and is strongly encouraged to use anycasting across multiple nodes to improve reliability. There is no anycast instance because that would make debugging much harder and *.recursive-servers.dn42 instances should do loadbalancing/failover across all instances listed in the registry.
23	23
24	24	## *.master.delegation-servers.dn42
25	25	These instances do not serve any clients. They poll the registry regularly and rebuild and resign (DNSSEC) the zones as needed. If any zone changes, all *.delegation-servers.dn42 instances are notified ([RFC1996](https://tools.ietf.org/html/rfc1996)) which then load the new zone data over AXFR ([RFC5936](https://tools.ietf.org/html/rfc5936)). The pool of masters is intentionally kept very small because of its much higher coordination needs and also the lacking support of a multi-master mode in many authoritative server implementations. The masters are only reachable over dedicated IPv6 assignments which are set up in a way that any master operator can hijack the address of a problematic master without having to wait for its operator to fix something.
...	...	@@ -41,7 +41,7 @@ burble is providing monitoring for the new DNS system. It does simple checks on
41	41	Also, gatuno provides another simple [dns checker for all the top level domains](http://gatuno.dn42/dns/) in the registry. If you want to check whatever a domain is resolving or not, this tool may be useful. The tool gets in sync with the registry every 12 hours. You can schedule checks for any domain.
42	42
43	43	# DNSSEC
44		-There are currently two KSKs managed by BURBLE-MNT and JRB0001-MNT. They are used once per quarter to sign the DNSKEY RRset. Each master operator has one ZSK which is used to sign the zones (except for the DNSKEY RRset). This setup leads to bigger responses but allows each KSK holder to solve emergencies independently. The signatures of the DNSKEY RRset are valid until the end of the first month of the next quarter to give enough time for coordinating the next siging. All other signatures are valid for 3 days and replaced at least once per day.
	44	+There are currently two KSKs managed by BURBLE-MNT and JRB0001-MNT. They are used once per quarter to sign the DNSKEY RRset. Each master operator has one ZSK which is used to sign the zones (except for the DNSKEY RRset). This setup leads to bigger responses but allows each KSK holder to solve emergencies independently. The signatures of the DNSKEY RRset are valid until the end of the first month of the next quarter to give enough time for coordinating the next signing. All other signatures are valid for 3 days and replaced at least once per day.
45	45
46	46	The set of valid KSKs can be found in the registry.
47	47