[ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll

Geoff Huston gih at apnic.net
Fri Jan 5 00:19:17 UTC 2018

> On 5 Jan 2018, at 10:45 am, Carlos Marcelo Martinez Cagnazzo <carlosm3011 at gmail.com> wrote:
> I fully, fully agree with Jacques and others. This needs to be over soon. 

When we roll the clock back to September 2017, the cited reason for the deferral of the root roll was the existence of data from resolvers that supported RFC8145 signalling that a pool of these resolvers had not loaded KSK20911 into their local trusted key store.

Carlos, (I’m asking because you posted a "me too") what is the data set you are using to justify this call to be “over soon”? It seems to me that in the absence of new data, the only changed factor is your own appetite for risk. Without additional data, your tolerance for risk appears to increase over time (*). But is this altered personal perception of the risk sufficient motivation to proceed? Objectively, if the numbers in September 2017 gave sufficient grounds to pause, and the numbers haven't changed (**) then surely the grounds for pausing the operation as as strong now as they were in September (***).

So if you want to show that at its heart the Internet is still the wild west and we work on gut instincts and disregard data that appears to contradict such instincts, then by all means please roll the key. Personally I think such calls to roll the key are more emotive than reasoned and we need to fill in the gaps with real data rather than rhetoric.


* Humans are really really bad at risk assessment - they amplify inferred risk from recent events and discount the risk associated with old events (The fact that many millions of folk live in areas of highly active geology just because the last major catastrophic event happened decades ago is a really good illustration of this human risk perception problem.)

** I have not seen a recent update to the RFC8145 numbers, but I assume that not much has changed

*** The problem was not that the RFC8145 numbers gave strong evidence that the root key was not being loaded. The issues was that the RFC8145 signal is as noisy as you can get. Because its noisy its a challenge to either prove or disprove any theory about the true KSK2011 state and the likely impact on users. And the task to allow the process to proceed is to provide a new data set that can clear up the interpretation problems with the RFC8145 data.

More information about the ksk-rollover mailing list