[ksk-rollover] 答复: A lab test of Root Algorithm Rollover

Davey Song(宋林健) ljsong at biigroup.cn
Mon Mar 25 06:07:14 UTC 2019 

Sorry. I did not push it to my remote repo yet.  Now it is available. Or you can check the attached file

 

Davey

 

发件人: James Gannon [mailto:james at cyberinvasion.net] 
发送时间: 2019年3月25日 13:52
收件人: Davey Song(宋林健); ksk-rollover at icann.org
主题: Re: [ksk-rollover] A lab test of Root Algorithm Rollover

 

I get a 404 from that url?

 

From: ksk-rollover <ksk-rollover-bounces at icann.org> on behalf of "Davey Song(宋林健)" <ljsong at biigroup.cn>
Date: Monday, 25 March 2019 at 06:42
To: "ksk-rollover at icann.org" <ksk-rollover at icann.org>
Subject: [ksk-rollover] A lab test of Root Algorithm Rollover

 

Hi folks,

 

We have done a lab test against the root algorithm rollover last month. There is a preliminary result and supprise I would like to share with you if you are interested. I also would like to call for more participants (resolvers) and input for our second lab test. Comments are welcome.

 

The Slides I presented in Yeti DNS workshop:  https://yeti-dns.org/resource/Root-algorithm-rollover-lab-test.pdf 

 

The summary I quoted from the meeting note of my presentation:

 

“Basically, we rolled the algorithm in four approaches with different configuration and time lines. The finding is interesting that four approaches successfully for BIND (9.11.5-P1) and UNBOUND(1.8.3) resolver. Note that there is an accidental mistake in configuring the ZSK's inactive time which results no active signing key in the middle of the rollover and causes validation failure(we recovered it with a new ZSK but it still had impact on resolver). As a response to this failure, it is observed BIND restarts the Add Hold-Down Time of new key/algorithm for another 30 days when new valid signing key is available but Unbound continue the timer and trusted the KSK/Algorithm after the rfc5011-timer expired. It is planned that more lab test for rollover should be done before roll the algorithm of Yeti. We will call for more resolvers to join this test.”

 

Best regards,

Davey

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190325/bd654252/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Root-algorithm-rollover-lab-test.pdf
Type: application/pdf
Size: 683200 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190325/bd654252/Root-algorithm-rollover-lab-test-0001.pdf>

More information about the ksk-rollover mailing list