[ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll

Erwin Lansing erwin at dk-hostmaster.dk
Thu Jan 4 22:32:50 UTC 2018 

David,

On 4 Jan 2018, at 23.01, David Conrad <david.conrad at icann.org<mailto:david.conrad at icann.org>> wrote:

2) "have the humans fix the problems as they arise”

This (presumably) assumes humans will fix the problems in a positive way. I’ll admit I suspect the more likely way of fixing DNSSEC rollover-caused validation failures will be to simply disable DNSSEC validation (after all, the folks who would fix things the right way are unlikely to be bit by the rollover). Is that an acceptable outcome?

I’ll add to that corporate culture: when DNS fails, the message from higher up will be “Make it work”, not “Make it work The Right Way”.  On a side note, my biggest fear has been those people/SMBs that buy a black box for some reason, which also does DNS, and has DNSSEC turned on by default, plug in into their network and forget about it, rather than, say, people that know DNS, but not really about DNSSEC.  In all your outreach, have you noticed that to be the case, or is it more e.g. service providers, where someone flipped the switch and promptly forgot about it, or something else?

3) “start re-building the trust in DNSSEC globally!"

I am personally unaware that of any noticeable change in the trust associated with DNSSEC as a result of the (lack of) KSK rollover. Within security knowledgeable folks, I do know that trust in DNSSEC has been _increased_ a bit by the move by Verisign from a 1024 bit ZSK to a 2048 bit ZSK, but that’s obviously unrelated to the KSK rollover. What data do you have that trust has decreased due to the lack of KSK rollover?

4) "(before it's too late!)”

My impression has been that the percentage of responses being validated has been increasing over time, and not just because more and more folks have been using Google Public DNS — I’ve heard anecdotally that more folks on turning on validation (perhaps as a side effect of the KSK rollover communications plan). You’re suggesting that the lack of KSK rollover will result in a crisis of trust in DNSSEC. How long do you think it will be until this occurs? It has already happened? Days? Weeks? Months? Years?

I guess these questions boil down to how you define trust.  Trust in the additional layer of security DNSSEC provides or trust in DNSSEC as a usable protocol.

The resistance to DNSSEC I’m hearing, is that it is too cumbersome, too fragile, and requires too many resources to implant compared to the benefit it provides.  I have not heard anyone question the security DNSSEC provides or that postponing a rollover is reducing its security.  Both postponing the rollover and doing a rollover with significant fallout, will add more fuel to the fire for those who feel DNSSEC is not a viable solution from an operational viewpoint.  All that to say, and I’m playing devils advocate here, at some point we do need to bite the bullet and do the rollover, because to keep postponing it is yet another signal that DNSSEC is not production ready.

Erwin


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20180104/849ff8cd/attachment.html>

More information about the ksk-rollover mailing list