Exercising RFC 5011 rollovers

Chris Thompson cet1 at cam.ac.uk
Fri Nov 25 17:38:06 UTC 2011

Using "managed-keys" for the root zone and for dlv.isc.org can give one
a warm fuzzy feeling, given that their respective administrators have
declared an intention to follow RFC 5011 if they ever roll over their

Except, they never have changed their KSKs so far, so the relevant code
in BIND doesn't actually get exercised.

Does anyone provide a zone with a trust anchor that is frequently rolled
over in that way, just so that one can see whether it really works? Then
one's feelings might be warmer and less fuzzy...

I could of course set up such a test zone and try to perform an RFC 5011
rollover on it, using dnssec-revoke and/or the -R option of dnssec-settime,
meanwhile tracking it on another system via a managed-keys entry, but then
if it all went pear-shaped it might not be clear whether I had performed
the rollover correctly or not.

Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list