On Wed, Apr 03, 2013 at 05:17:35PM +0200, Stephane Bortzmeyer wrote: > Was RFC 5011 actually tested in a real rollover with the current > resolvers?)
Depends what you mean by "real". The BIND implementation has been tested with real keys, but obviously it's never been confronted with an actual real-world root-zone rollover. In principle there's no difference, but in practice I'm less confident: Rolling the root zone means exercising the RFC 5011 code in *many* validating resolvers, on different platforms with different configurations, and with high stakes in the event of failure. The possibility that we've overlooked a test scenario and some validators out there will fail to roll to the new trust anchor correctly is going to give me jitters until we've done it the first time. Then there's the issue Paul mentioned -- gear configured with a root KSK that gets switched off and not rebooted for a few months or years, and then no longer works and can't recover. Unfortunately, none of these concerns get smaller if we wait longer. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop