[dns-operations] No public calendar for the root signingdeployment

[bmanning at vacation.karoshi.com]

On Thu, Dec 10, 2009 at 11:31:06AM -0800, David Conrad wrote:
> Bill,
> 
> On Dec 10, 2009, at 11:21 AM, bmanning at vacation.karoshi.com wrote:
> > I suspect that one reason the staged rollout
> > 	of a signed, but useless for DNSSEC purposes root zone prior
> > 	to a usable signed root zone is to flush out the extent of
> > 	this problem...  but I'm just guessing here.
> 
> Since you, as operator of the B root server, have been told this is explicitly one of the reasons we're doing the incremental deployment and why we've asked all the root operators to be in a position to monitor their servers for unexpected behavior (and as far as I've heard, all the root servers agreed), I am confused as why you say you're guessing.
> 
> Regards,
> -drc
> 

	well the root operators were told there would be a staged deployment instead of
	a flag day - this is true.  it is also true that we were told there would not be
	valid data until after 1h2010.  however i never heard that "we've" asked the operators to 
	be in a position to monitor the servers in this transition.  the operators agreed to
	look into augmenting their existing monitoring to ensure the transition to DNSSEC
	went smoothly and as a precursor to the development of a more persistent and sustainable
	"Early Warning" system for the DNS that was called out in the recent Scaleability
	study.  the reason I am guessing is that simple instrumentation o fthe root servers
	is not going to show this problem as "unexpected behaviour" ... what we might see
	is a migration of some versions of some resolvers from one root to others.  we wont
	see resolvers that outright fail to prime.  to do that (a more accurate measure of 
	the extent of this problem) we would have to have priming data from the roots prior
	to the deployment of a DURZ or equivalent - then look for those nodes who disapear
	from any priming sequence during/after DURZ rollout.

	imho of course.

--bill