Testing RFC 5011 key roll
Jan-Piet Mens
jpmens.dns at gmail.com
Tue Apr 21 21:34:40 UTC 2015
> My lesson is - besides just working out the configuration - testing
> RFC5011 takes more patience than just about any other feature of
> DNS/DNSSEC. RFC5011 is the most wall-clock driven mechanism we have.
Yup. I learned that as well.
As a side note: can you imagine my surprise when, after waiting all that
time BIND then crashed on me after being fed OpenDNSSEC keys? Had to
start all over and explain excessive hair loss to the missus ...
It's thanks to Warren's keyroll.systems that I actually persisted
testing, and only then did I report the crash to ISC, whereupon I was
forced to wait a full rollover period until I was allowed to talk about
it. ;-)
-JP
More information about the bind-users
mailing list