On Jan 21, 2010, at 7:57 PM, Jim Reid wrote: > On 21 Jan 2010, at 23:55, Roy Arends wrote: > >> I'm arguing that the exercising should not be done on critical production >> systems. > > Argue all you like. :-) But if those procedures, policies and processes are > not exercised on the critical production systems *for real* there is no way > of knowing for sure if they'll work or not.
You're contradicting yourself. Just minutes ago, you wrote: "True mission critical environments know how to handle scheduled changes and unplanned interventions: -- applying patches, replacing hardware, OS upgrades, etc -- without compromising service. In such settings, a key rollover would just be another thing to add to the ops team's list and it shouldn't matter if that rollover was planned or not." > It would be most unfortunate to discover that they don't work whenever > there's a genuine reason for using them on the critical production > environment. Indeed it would. I'm not saying that procedures shouldn't be tested. I'm telling you that when you want to educate an SA, you do it elsewhere. If you want to test a procedure, you do that _within_ the company, on its own time schedule, without unnecessary announcements. I really hope you agree that its silly to roll a key frequently, say monthly and announce the exact time when you're going to roll it, giving miscreant another chance next month if they miss the opportunity to mess things up. That is what is currently happening. There is a danger in that. When I point that out, folks immediately grab RFC4641, telling me they _have_ to roll frequently. > By all means test them and run exercises elsewhere, Thank you! > but they do need to be invoked from time to time in the live environment. Sure. > And not just for drills. Fine. Roy _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
