[ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll

Thu Jan 4 21:23:51 UTC 2018

Hi, the subject is very hard to discuss: on the one hand, we have a process we must follow unil the end as we already engaged on it. On the second hand, ICANN fears to isolate many end users due to the fact that resolvers do not update with KSK-2017.As Paul mentioned, getting 100% readiness is hard even seems impossible to achieve.
What i suggest is that we must have an estimation of how many end users will be isolated from Internet if we go for the rollover now and how many resolvers still have KSK-2010 only at the current date. Knowing those data should be a good reference point. Then, ICANN can continue contacting the administrators, having their awarness sessions/trainings, provide technical supports, ... in permanent and more intensive basis. Each end of month, ICANN can publish data for the above two KPI to see how we are globally improving to reduce the severity of impact. Meanwhile, ICANN will put in place various emergency response technical pool of staff and choose a date for the rollover.Those who are still not ready at the date of the rollover will be isolated from Internet and administrators must have to contact one pool of ICANN emergency response staff to get support.

-- Prenez soin de vous car chaque jour est une vie. Yazid M. AKANHO Mobile: (+229)97979910 LinkdIn: www.linkedin.com/in/yakanho
blog: http://yakanho.beninois.net 

    Le jeudi 4 janvier 2018 à 17:39:34 UTC+1, Jacques Latour <Jacques.Latour at cira.ca> a écrit :  

 I'll go first, we need to take in account the human behaviour, and not being an expert human behavioral analyst, I know that people fix things when broken and not when it's working.  So getting a 100% of people's attention to fix something not broken is almost impossible. 

When we talk to ISP about this issue, the smaller ones just turn DNSSEC validation off because it's easier.

It's impossible to have 100% readiness.
The majority of DNSSEC validation today is via google DNS.

I think we need to go ahead with the roll over, have the humans fix the problems as they arise, and start re-building the trust in DNSSEC globally! (before it's too late!)

My 2 cents!

Jacques

> -----Original Message-----
> From: ksk-rollover [mailto:ksk-rollover-bounces at icann.org] On Behalf Of Paul Hoffman
> Sent: January 2, 2018 12:07 PM
> To: ksk-rollover at icann.org
> Subject: [ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll
> 
> Greetings in the new year. As announced on this list (and in many other places) a few weeks ago, the ICANN org wants to use this list
> to get input from the community on acceptable criteria for proceeding with the root KSK roll. When we made that announcement,
> we saw a good number of new subscriptions to the list, but the discussion didn't start on its own, so we want to get that going.
> 
> For reference, please see <https://www.icann.org/news/blog/update-on-the-root-ksk-rollover-project>. The relevant timing part
> from that article is:
> 
> > The ICANN org will monitor this mailing list and beginning on 15 January 2018, we will develop a draft plan for proceeding with the
> root KSK roll based on the input received and discussion on the mailing list. The plan will be published by 31 January 2018 and
> undergo a formal ICANN public comment process to gather further input.
> 
> We would really like to hear from you about the criteria you think would be relevant for us to observe/measure, if such criteria exist.
> 
> --Paul Hoffman
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________
ksk-rollover mailing list
ksk-rollover at icann.org
https://mm.icann.org/mailman/listinfo/ksk-rollover

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20180104/ee144c67/attachment.html>