Exercising RFC 5011 rollovers

Evan Hunt each at isc.org
Fri Nov 25 20:49:23 UTC 2011

> I looked at the DNSSEC section of the bind test suite
> (bind-9.9.0b2/bin/tests/system/dnssec) to see if a key rollover test is
> part of it. I didn't see that, but it may be elsewhere, as the test suite
> is pretty elaborate. The test suite does contain a simulated root server
> (ns1), so I bet that with a little ingenuity you could devise a key
> rollover test.

Timing considerations make it difficult to have an automatic test
for this in the standard BIND test suite; the RFC requires certain
things to take a very long time.  Unless you modify named to speed
up the process, rolling to a new trust anchor and deleting the old
one takes over a month, which is kind of a drag when you're running
'make check'.  :)

I quite like the idea of setting up a public zone that revokes and
replaces trust anchors periodically.  I don't know of one at present.
The right place to ask is probably the dnssec-deployment mailing list.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list