Using "managed-keys" for the root zone and for dlv.isc.org can give one a warm fuzzy feeling, given that their respective administrators have declared an intention to follow RFC 5011 if they ever roll over their KSKs.
Except, they never have changed their KSKs so far, so the relevant code in BIND doesn't actually get exercised. Does anyone provide a zone with a trust anchor that is frequently rolled over in that way, just so that one can see whether it really works? Then one's feelings might be warmer and less fuzzy... I could of course set up such a test zone and try to perform an RFC 5011 rollover on it, using dnssec-revoke and/or the -R option of dnssec-settime, meanwhile tracking it on another system via a managed-keys entry, but then if it all went pear-shaped it might not be clear whether I had performed the rollover correctly or not. -- Chris Thompson Email: c...@cam.ac.uk _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
