[Dnssec-deployment] Root key rolling (was NIST guidance as to DNSSEC and others)
Evan Hunt
each at isc.org
Mon Feb 6 15:35:34 EST 2012
> Not to be a broken record, but given the implications of a root key
> compromise/loss, I feel any root key roll (scheduled or not) should be
> treated as an exceptional event. Every root key roll has the potential to
> be extremely disruptive.
+1
> The idea that we would use root key rolls as a
> means to test DNS servers seems ... questionable to me.
Set up an alternate root server for testing purposes; give it a
different set of keys key from the existing root zone. Configure a
resolver to use the new server and trust anchor, instead of the real
root servers and the real root key. Roll the SEP key. See if the
resolver copes.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the Dnssec-deployment
mailing list