[ksk-rollover] 答复: A lab test of Root Algorithm Rollover

[James Gannon]

Thanks Davey!

From: "Davey Song(宋林健)" <ljsong at biigroup.cn>
Date: Monday, 25 March 2019 at 07:07
To: James Gannon <james at cyberinvasion.net>, "ksk-rollover at icann.org" <ksk-rollover at icann.org>
Subject: 答复: [ksk-rollover] A lab test of Root Algorithm Rollover

Sorry. I did not push it to my remote repo yet.  Now it is available. Or you can check the attached file

Davey

发件人: James Gannon [mailto:james at cyberinvasion.net]
发送时间: 2019年3月25日 13:52
收件人: Davey Song(宋林健); ksk-rollover at icann.org
主题: Re: [ksk-rollover] A lab test of Root Algorithm Rollover

I get a 404 from that url?

From: ksk-rollover <ksk-rollover-bounces at icann.org<mailto:ksk-rollover-bounces at icann.org>> on behalf of "Davey Song(宋林健)" <ljsong at biigroup.cn<mailto:ljsong at biigroup.cn>>
Date: Monday, 25 March 2019 at 06:42
To: "ksk-rollover at icann.org<mailto:ksk-rollover at icann.org>" <ksk-rollover at icann.org<mailto:ksk-rollover at icann.org>>
Subject: [ksk-rollover] A lab test of Root Algorithm Rollover

Hi folks,

We have done a lab test against the root algorithm rollover last month. There is a preliminary result and supprise I would like to share with you if you are interested. I also would like to call for more participants (resolvers) and input for our second lab test. Comments are welcome.

The Slides I presented in Yeti DNS workshop:  https://yeti-dns.org/resource/Root-algorithm-rollover-lab-test.pdf

The summary I quoted from the meeting note of my presentation:

“Basically, we rolled the algorithm in four approaches with different configuration and time lines. The finding is interesting that four approaches successfully for BIND (9.11.5-P1) and UNBOUND(1.8.3) resolver. Note that there is an accidental mistake in configuring the ZSK's inactive time which results no active signing key in the middle of the rollover and causes validation failure(we recovered it with a new ZSK but it still had impact on resolver). As a response to this failure, it is observed BIND restarts the Add Hold-Down Time of new key/algorithm for another 30 days when new valid signing key is available but Unbound continue the timer and trusted the KSK/Algorithm after the rfc5011-timer expired. It is planned that more lab test for rollover should be done before roll the algorithm of Yeti. We will call for more resolvers to join this test.”

Best regards,
Davey

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190325/c94dd3e2/attachment.html>