[ksk-rollover] [Ext] Re: Starting discussion on acceptable criteria for proceeding with the root KSK roll

Erwin Lansing erwin at dk-hostmaster.dk
Fri Jan 5 08:30:58 UTC 2018


On 5 Jan 2018, at 02.29, David Conrad <david.conrad at icann.org<mailto:david.conrad at icann.org>> wrote:

I share this concern, but TBH, from my experience in the outreach I was involved with personally, the response was bimodal, either:

A) boredom, having to listen to yet another talk on stuff they’d already dealt with (e.g., NANOGs, RIPE meetings, etc)

- or -

B) incomprehension, not even knowing what the letters DNS stand for. (e.g., CIO/CTO forums, non-technical venues)

The reality is that finding the right people to speak to to ensure resolvers are properly configured for the KSK rollover turns out to be quite hard.

I, and most people on this list, are definitely in group A.  Those talks are good breaks to check email during conferences :-)

But seriously, that goes to the heart of the problem.  The people trying to fix the issue (A) are not the people actually using the service (B).  That’s both a problem to reach those people that may need to act in some way, but also might lead to misunderstandings about how the world looks from the viewpoint of the other group.

To be very clear, we don’t want to continue postponing. What we’re looking for is for the community to tell us in the ICANN Org how to move forward. We were surprised with the 8145 data (i.e., that we were actually getting data and the number of misconfigurations we were seeing were as high as they were). We’ve done a bit of analysis and from what little we’ve been able to ascertain, there doesn’t appear to be anything fundamentally broken with the architecture or implementations, rather misconfiguration happens. This isn’t surprising. However, now that we know concretely there will be brokenness, how much is the community willing to tolerate (and what metrics can we use to ensure we’re below that threshold).

So we don’t want to not do the rollover, we know our data is incomplete, and we know there will be an unknown amount of fallout.  From the data that we do have through 8145, is there any indication that the amount of known brokenness is decreasing?  Could that be used as an indicator that, despite all the tremendous effort from ICANN and others over the last months, we have no way to decrease the known fallout further, thereby assuming there’s nothing more we can do to prevent the unknown fallout either?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20180105/92f077c8/attachment.html>

More information about the ksk-rollover mailing list