On Fri, Jan 22, 2010 at 03:23:02PM +0000, [email protected] wrote:
> the apparent nub of the argument is... we need to be > able to do this rollover thing, but if we screw up > it will be hard to put back together... so we won't > actually do the task - and hope that we'll never > pull the trigger. That's question-begging. The exact question under dispute is whether "we need to be able to do this rollover thing". Maybe one needs to be able to do it, and maybe not, and maybe the event itself is so rare in some zones that treating every occasion as the 1st time is the right approach. That's exactly what's up for debate. Some (I am among them) claim that there's a risk/reward trade-off, and others seem to start with the premise that it is a necessary event. Only if you accept the latter can you argue that it's the sort of operational event that must be undertaken with any regularity, and even then I think the argument is weak. > DNS operators -have- to pay attention these days or > the system will stop working. This is true, but it's unrelated to key rolls. It has to do with the resigning period, which is a completely different issue. On Fri, Jan 22, 2010 at 12:52:05PM -0500, Joe Abley wrote: > I don't think it matters whether the key roll schedule is perfectly > periodic (e.g. every interval T) or event-driven (e.g. every time > someone joins or leaves the operations team) but in general I am not > comfortable relying on important machinery to work when you need it > if it's not exercised. Ok, except that each exercise of this machinery is in fact a case of "needing it", since you're going to do exactly the things you'd need to do when you need it. The problem with the key roll as "exercising the machinery" is that it's a destructive test. > If you need an analogy, I think generator testing is a better one > than launching ICBMs at schools. You hope never to need your > generator, but you test it regularly anyway just in case. Good analogy. What you do here depends on your operation. If you are the sort of hugely-automated total 24x7 shop that needs to be able to prove in a controlled fashion that your generators all work, come on line, and take the load, then maybe (and only maybe) you turn the whole thing on, flip everything over to generators, and so on from time to time (in a controlled way) to prove that it all works. But if you have a tiny generator that is supposed to allow you to operate a couple things in your house in case of a snowstorm, all you do is fire it up and make sure it produces power. Which sort of test you ought to do is governed by what kind of needs you have. Since I think I've sung that refrain to everyone's boredom, however, I'll shut up about it now. A -- Andrew Sullivan [email protected] Shinkuro, Inc. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
