>It is clear from the blog post that this is a fairly sophisticated >group of ops people, who had a reasonable test plan, a bunch of test >points set up in dnsviz and so forth. Neither of these bugs seem >very exotic, and could have been caught by routine tests.
It not clear to whether or not they did ZSK and KSK key rollovers on test zones and on minor zones. If they didn't, thats a good way to get in trouble later on. The main lesson learned from this incident seems to be to always create a test zone with content identical to that of the main zone and fully test that zone. A common lesson, also not mentioned, is to have low TTLs for stuff you control. It would not have helped with the DS record. But the discussion about the ZSK being lost would have been helped with a low TTL in the DNSKEY RR set. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
