> My lesson is - besides just working out the configuration - testing > RFC5011 takes more patience than just about any other feature of > DNS/DNSSEC. RFC5011 is the most wall-clock driven mechanism we have.
Yup. I learned that as well. As a side note: can you imagine my surprise when, after waiting all that time BIND then crashed on me after being fed OpenDNSSEC keys? Had to start all over and explain excessive hair loss to the missus ... It's thanks to Warren's keyroll.systems that I actually persisted testing, and only then did I report the crash to ISC, whereupon I was forced to wait a full rollover period until I was allowed to talk about it. ;-) -JP _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users