Mr. Martin Hoffmann (Open Netlabs BV)
As part of the assessment of the risk of rolling the root zone’s KSK, Verisign commissioned us to performe tests of the implementation of RFC 5011 support in past and present releases of the three open source DNS resolvers Unbound, Bind, and Knot Resolver with regards to the possible sequences of the roll of the root trust anchor. They kindly allowed us to share our findings. The presentation will first show our methodology—we used CZnic’s Deckard to simulate the full time period of a key roll—and the various scenarios we tested, covering both successful key rolls and possible aborts after starting, as well as typical operational occurrences such as installation after the key roll started, resolver restarts during the roll, or non-writeable state directories. It will then discuss our findings for each of the resolvers and show how their RFC 5011 support developed over the various releases. As a conclusion, we will try to assess what these findings may mean for the success of a root KSK roll.
|Talk Duration||30 Minutes|