Exercising RFC 5011 rollovers
each at isc.org
Fri Nov 25 20:49:23 UTC 2011
> I looked at the DNSSEC section of the bind test suite
> (bind-9.9.0b2/bin/tests/system/dnssec) to see if a key rollover test is
> part of it. I didn't see that, but it may be elsewhere, as the test suite
> is pretty elaborate. The test suite does contain a simulated root server
> (ns1), so I bet that with a little ingenuity you could devise a key
> rollover test.
Timing considerations make it difficult to have an automatic test
for this in the standard BIND test suite; the RFC requires certain
things to take a very long time. Unless you modify named to speed
up the process, rolling to a new trust anchor and deleting the old
one takes over a month, which is kind of a drag when you're running
'make check'. :)
I quite like the idea of setting up a public zone that revokes and
replaces trust anchors periodically. I don't know of one at present.
The right place to ask is probably the dnssec-deployment mailing list.
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users