[Dnssec-deployment] Root key rolling (was NIST guidance as to DNSSEC and others)

Evan Hunt each at isc.org
Mon Feb 6 15:35:34 EST 2012

> Not to be a broken record, but given the implications of a root key
> compromise/loss, I feel any root key roll (scheduled or not) should be
> treated as an exceptional event. Every root key roll has the potential to
> be extremely disruptive.


> The idea that we would use root key rolls as a
> means to test DNS servers seems ... questionable to me.

Set up an alternate root server for testing purposes; give it a
different set of keys key from the existing root zone.  Configure a
resolver to use the new server and trust anchor, instead of the real
root servers and the real root key.  Roll the SEP key.  See if the
resolver copes.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the Dnssec-deployment mailing list