"Steven M. Bellovin" wrote:
A number of people havce responded that they don't want to be forced to pay for a change that will benefit Verisign. That's a policy issue I'm trying to avoid here. I'm looking for pure technical answers -- how much lead time do you need to make such changes safely?
Merely install a new version of postfix on all MX servers? Assuming that postfix itself has been modified as desired by VeriSign? Well, let's see, in an emergency with the master mail server crashing 20+ times a day, I was able to get the support folks to scavenge parts, build another machine, essentially talk them through cloning one of the old NS machines, update it to latest system and BIND 9, run a few rudimentary tests, and physically swap it in, all in just about 6 days. (I probably could have done it myself in under a day, but I'm in Michigan and they are in rural Mississippi. Also, you have to consider that it's a 3.5 hour drive round trip to Memphis for any parts needed on an emergency basis, and POPs are spread about an hour apart. Quick installation is not in the cards.) Of course, that was for BIND, not postfix, which would take longer. To order a faster postfix frontend MX machine (we did), await delivery, install and test and physically swap -- oops, they still haven't finished install and test ... in 4+ weeks so far. When they finish that, the same process on the machine swapped out, lather, rinse, repeat until all machines are finished. (Since the VeriSign emergency went away, there was a lot less pressure to divert support from the jobs they are paid to do, or work overtime.) Really, no matter how you slice it, money is at least as important to lead time as the "pure technical answers". -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32