[ksk-rollover] [Ext] Re: Starting discussion on acceptable criteria for proceeding with the root KSK roll

wfms at wfms.org wfms at wfms.org
Thu Feb 1 12:33:04 UTC 2018

Hi Paul, Matt and all.

(Switching hats)

I've followed the discussion quite a bit on the mailing list, and feel that 
pretty much most of what needed to be said was said, so I'll leave at that and 
not repeat anything.  But here are 2c:

I admire the fact that ICANN are taking this on the chin, delaying the 
roll-over in deference to the end user.  However, I feel ICANN may be 
overstepping the mark:  Ultimately, it is up to the operators to 'opt-in' and 
use DNSSEC.  Aside from the TLDs you have a say over, ICANN don't have the 
authority (and to a degree, the responsibility) to dictate to these resolver 
operators:  No gun was ever held to their heads to force them to adopt DNSSEC.

That said, I disagree with a number here who say 'just do it.'  There be 
dragons and I agree with Geoff, there's the issue of inviting comparisions to 
the Wild West of the Internet. I would offer this:

Announce a tentative date of April 11, 2018 and see who
pipes-up (just tell them I did it).  Operators (negligent, diligent, absent)
can only be warned for so long and so much that ultimately the warnings fall
on deaf ears or people just get jaundiced and don't believe it will happen.
The danger of setting a date is to have it moved again and losing further
operational trust.

Those suggesting to wait for more data (if there is a reasonable
expectation of more coming) I could suggest a date of October 11, 2018. 
It gives time to determine if a trend can be established plus it gives a
unique opportunity of a longer-term transition by having KSK 2010 and KSK
2017 hang around longer together and ultimately studying the effect of 
that too. Plus it gives more time for operators to actually fix things.

In summing and to bring this back to the original poster's question,
here's a stab at criteria for setting a date for the complete rollover (in
no particular order):

1) measuring the value of trust in DNSSEC
2) having the best available data
3) a trend showing an uptake of KSK 2017 reaching the best rate approaching a
    flatline in that data.

If a date can be agreed to, what happens next is to do another reach out, but 
more targetted.  For example, for those registrars that offer up DS key 
registration, can they link to a notice from the dialog boxes where they 
get entered, or publish a one-line blurb about the impending roll-over 
and what that means?

Alternatively here's perhaps a more risky proposition:  A combination of 
'just do it' but with a twist.  Pull the old KSK for a fixed time period 
(hours?) WITH lot's of prior advance warning on a certain date (someone 
WILL be collecting data....right?).  Long have there been calls by groups 
to attempt to disrupt the DNS, what's a planned *potential* outage 
affecting DNSSEC?  Seriously though, it is akin to jerking a sleeping 
dog's chain, but no one really knows if it's a Chihuahua or a Great Dane 
on the other side of that fence until a hardy pull gets made.

I think your note below on communications hits the mark so I'll leave it at 


On Wed, 17 Jan 2018, Matt Larson wrote:

>       On Jan 17, 2018, at 1:19 PM, Warren Kumari <warren at kumari.net> wrote:
> I ment to include the below in my original bloviation:
> I think it would be really useful to reach out to the press who published 
> articles on the
> keyroll pause (e.g: BleepingComputer, Bloomberg, Modern Ghana, The Register, 
> ITWorld, etc) -
> having them be told ahead of time that ICANN stopped things, got community 
> feedback and is
> proceeding cautiously (potentially) changes the narrative completely - and, 
> at least, helps
> prevent the bad PR hit to ICANN (this is an ICANN list, after all) and them 
> feeling
> blindsided. Converting the potential PR ding into a win would be nice - and 
> may also reach
> more people.
> This is a good suggestion and I will add it to the hopper of PR ideas. Please 
> recall that in late
> December 
> (https://www.icann.org/news/blog/update-on-the-root-ksk-rollover-project), we 
> wrote:
>       The ICANN org will monitor this mailing list and beginning on 15 
> January 2018, we will
>       develop a draft plan for proceeding with the root KSK roll based on the 
> input received
>       and discussion on the mailing list. The plan will be published by 31 
> January 2018 and
>       undergo a formal ICANN public comment process to gather further input. 
> We are indeed planning to publish a draft plan for moving forward at the end 
> of the month based on
> this discussion, and we're also planning PR activities to publicize the plan 
> and the formal public
> comment, including outreach to publications that have previously covered the 
> root KSK roll or that
> we suspect would be willing to cover it.
> Matt

More information about the ksk-rollover mailing list