[ksk-rollover] A lab test of Root Algorithm Rollover

Medel Ramirez mgramirez at globe.com.ph
Mon Mar 25 20:36:02 UTC 2019

This is super Kool !

Sent from my V6 Engine!
メデル ラミレズ

On 25 Mar 2019, at 1:42 PM, Davey Song(宋林健) <ljsong at biigroup.cn> wrote:

Hi folks,

We have done a lab test against the root algorithm rollover last month.
There is a preliminary result and supprise I would like to share with you
if you are interested. I also would like to call for more participants
(resolvers) and input for our second lab test. Comments are welcome.

The Slides I presented in Yeti DNS workshop:

The summary I quoted from the meeting note of my presentation:

“Basically, we rolled the algorithm in four approaches with different
configuration and time lines. The finding is interesting that four
approaches successfully for BIND (9.11.5-P1) and UNBOUND(1.8.3) resolver.
Note that there is an accidental mistake in configuring the ZSK's inactive
time which results no active signing key in the middle of the rollover and
causes validation failure(we recovered it with a new ZSK but it still had
impact on resolver). As a response to this failure, it is observed BIND
restarts the Add Hold-Down Time of new key/algorithm for another 30 days
when new valid signing key is available but Unbound continue the timer and
trusted the KSK/Algorithm after the rfc5011-timer expired. It is planned
that more lab test for rollover should be done before roll the algorithm of
Yeti. We will call for more resolvers to join this test.”

Best regards,


ksk-rollover mailing list
ksk-rollover at icann.org

This e-mail message (including attachments, if any) is intended for the use 
of the individual or the entity to whom it is addressed and may contain 
information that is privileged, proprietary, confidential and exempt from 
disclosure. If you are not the intended recipient, you are notified that 
any dissemination, distribution or copying of this communication is 
strictly prohibited. If you have received this communication in error, 
please notify the sender and delete this E-mail message immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190325/f0ee388b/attachment.html>

More information about the ksk-rollover mailing list