On 2010-01-22, at 07:45, Andrew Sullivan wrote: > It is simply not true that everything needs to be done "for real" in > order to be sure it can be done.
I think that's true. However, for procedures (manual or automated) that are required to function seamlessly and transparently in production, with no impact to service, I am generally in favour of exercising them regularly in production. Additionally, with the case of key rolls, there are two sides to the exercise -- you need to be sure that you can do them seamlessly on the server side, and you also need to be sure that the client side can accommodate the change. The only way I can think of doing that in any real way is to roll your keys in production. You don't know your client base well enough on the Internet to be able to have them test against a lab (or test at all). I don't think it matters whether the key roll schedule is perfectly periodic (e.g. every interval T) or event-driven (e.g. every time someone joins or leaves the operations team) but in general I am not comfortable relying on important machinery to work when you need it if it's not exercised. If you need an analogy, I think generator testing is a better one than launching ICBMs at schools. You hope never to need your generator, but you test it regularly anyway just in case. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop