On 21 Jan 2010, at 22:11, Roy Arends wrote:
I'd recommend that 'exercise the activity' is not done on critical production systems.
I'd recommend the opposite. Sort of: carry out these drills in the production environment but clearly not on the systems that are actually handling the operational load.
If your processes and policies aren't up to the job of working in a critical production environment, they're fundamentally broken because they don't do what they're supposed to do. Think about it Roy. Key rollovers will *have* to be done in a production environment, and not always according to a previously planned schedule. So whatever processes and procedures someone devises for doing a key rollover should be robust enough to cope with emergencies such as a compromised key.
True mission critical environments know how to handle scheduled changes and unplanned interventions: -- applying patches, replacing hardware, OS upgrades, etc -- without compromising service. In such settings, a key rollover would just be another thing to add to the ops team's list and it shouldn't matter if that rollover was planned or not.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
