> I looked at the DNSSEC section of the bind test suite > (bind-9.9.0b2/bin/tests/system/dnssec) to see if a key rollover test is > part of it. I didn't see that, but it may be elsewhere, as the test suite > is pretty elaborate. The test suite does contain a simulated root server > (ns1), so I bet that with a little ingenuity you could devise a key > rollover test.
Timing considerations make it difficult to have an automatic test for this in the standard BIND test suite; the RFC requires certain things to take a very long time. Unless you modify named to speed up the process, rolling to a new trust anchor and deleting the old one takes over a month, which is kind of a drag when you're running 'make check'. :) I quite like the idea of setting up a public zone that revokes and replaces trust anchors periodically. I don't know of one at present. The right place to ask is probably the dnssec-deployment mailing list. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
