[Dnssec-deployment] Root key rolling (was NIST guidance as to DNSSEC and others)

Evan Hunt each at isc.org
Mon Feb 6 15:35:34 EST 2012


> Not to be a broken record, but given the implications of a root key
> compromise/loss, I feel any root key roll (scheduled or not) should be
> treated as an exceptional event. Every root key roll has the potential to
> be extremely disruptive.

+1

> The idea that we would use root key rolls as a
> means to test DNS servers seems ... questionable to me.

Set up an alternate root server for testing purposes; give it a
different set of keys key from the existing root zone.  Configure a
resolver to use the new server and trust anchor, instead of the real
root servers and the real root key.  Roll the SEP key.  See if the
resolver copes.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.


More information about the Dnssec-deployment mailing list