First part of the day was creating the infrastructure for the test and
testing to see if the delegations where there. The zone assignments and
last octet of the ip address (192.168.53.*) where:

test davidb 204
optin davidb 118
secure joao 208

optin.test. miek  202
secure.test. olaf  211
insecure.test. (bind 9.1) ted 233

optin.optin. miek  114
secure.optin. jaap  116
insecure.optin. (bind 8) jeurgen 235

optin.secure. miek  115
secure.optin. jaap  117
insecure.optin. (bind 9.2) ted 234

The testbed used bind-9.3.0ws20030120-optin0 from ISC, a java opt-in signer
from VeriSignlabs and a gtld opt-in web service, and Meik's dnssec resolver.

Here are the various reports that we have found while building the testbed.

Olaf reports that new signer works with ksk.

We first tried resolving off of .test with a trusted key. Only had
a single sig and mult keys. Had a problem identifying what SIG was 
associated with the KEY. It would be really nice to be able to
identify the associated sigs with their particular keys. It was
suggested to request an additional feature to have dig have a 
"babble" option to identify SIGs with KEYs

Task - make sure all delegations are working secure and insecure.

As we were testing the zones, we found that the opt-in signer has some problem 
that makes the verifier to fail. The problem turned out to be an ordering 
problem with sigs associated with Keys. Dave issued a work-around by patching
the zone with sigs for the keys that were generated from bind.

As we were testing this, Olaf found a bug with keygen: 
  dnssec-keygen ignores ksk if ID key on the command line.

Finally, the testbed was setup and the first opt-in test was run and resulted
with the dig of death. If one tries to follow a opt-in delegation, bind 
crashes. A bug report was submitted to ISC for resolution.

As we were debugging this, we have two more requests for ISC:
  logging should have more information on the cause of failures.
  dnssec-keygen drop all the features other than zone

End of First day