[ksk-rollover] A lab test of Root Algorithm Rollover

Davey Song(宋林健) ljsong at biigroup.cn
Mon Mar 25 05:42:12 UTC 2019

Hi folks,


We have done a lab test against the root algorithm rollover last month.
There is a preliminary result and supprise I would like to share with you if
you are interested. I also would like to call for more participants
(resolvers) and input for our second lab test. Comments are welcome.


The Slides I presented in Yeti DNS workshop:


The summary I quoted from the meeting note of my presentation:


“Basically, we rolled the algorithm in four approaches with different
configuration and time lines. The finding is interesting that four
approaches successfully for BIND (9.11.5-P1) and UNBOUND(1.8.3) resolver.
Note that there is an accidental mistake in configuring the ZSK's inactive
time which results no active signing key in the middle of the rollover and
causes validation failure(we recovered it with a new ZSK but it still had
impact on resolver). As a response to this failure, it is observed BIND
restarts the Add Hold-Down Time of new key/algorithm for another 30 days
when new valid signing key is available but Unbound continue the timer and
trusted the KSK/Algorithm after the rfc5011-timer expired. It is planned
that more lab test for rollover should be done before roll the algorithm of
Yeti. We will call for more resolvers to join this test.”


Best regards,



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190325/9ab483e8/attachment.html>

More information about the ksk-rollover mailing list