[Yeti DNS Discuss] 答复: Call for comment: Experiment proposal for Yeti Algorithm Rollover
Davey Song(宋林健)
ljsong at biigroup.cn
Mon Jan 21 05:55:02 UTC 2019
Hi ,
https://github.com/BII-Lab/Yeti-Project/blob/master/doc/Experiment-AlgRoll-l
ab.md
I re-draft a lab test based on a algorithm rollover testbed by setting up 4
root servers with 4 different approaches of algorithm roll. More than 2
resolvers (at least bind and unbound) will be tested against each server.
This testbed will be setup this week and we kick off the rollover process
next week. If anyone who are interested to connect to this testbed, Please
reply and comment this mail. Next week I will provide the access information
of the tested in this thread.
Davey
> -----邮件原件-----
> 发件人: Stephane Bortzmeyer [mailto:bortzmeyer at nic.fr]
> 发送时间: 2018年12月28日 0:46
> 收件人: Davey Song
> 抄送: discuss at lists.yeti-dns.org
> 主题: Re: [Yeti DNS Discuss] Call for comment: Experiment proposal for
Yeti
> Algorithm Rollover
>
> On Wed, Dec 26, 2018 at 03:35:01PM +0800, Davey Song
> <ljsong at biigroup.cn> wrote a message of 147 lines which said:
>
> > After some investigation of Algorithm rollover, and existing practice
> > in cctld (.se and .br). I proposed an algorithm rollover experiment
> > plan for Yeti.
> >
> > https://github.com/BII-Lab/Yeti-Project/blob/master/doc/Experiment-Alg
> > Roll.md
>
> > The reasons of only rolling KSK is that some people suggested that
> > some resolver may not tolerate a KSK and a ZSK using different
> > algorithms in the same zone (notably PowerDNS).
>
> This sentence is unclear. If some resolvers cannot tolerate a KSK and a
ZSK with
> different algorithms, it seems to imply the opposite: we need to change
the
> algorithm of the ZSK as well.
>
> Also, reading the excellent report
> <https://labs.ripe.net/Members/anandb/dnssec-algorithm-roll-over>, it
seems
> that some resolvers (that was three years ago) complained when the records
> were not signed with *all* the algorithms listed in the DS record. So,
when the
> new KSK will be accepted as a trust anchor, it may break these resolvers.
More information about the discuss
mailing list