[ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll

[Paul Wouters]

On Thu, 4 Jan 2018, David Conrad wrote:

> On January 4, 2018 at 8:39:35 AM, Jacques Latour (jacques.latour at cira.ca) wrote:
> I'll go first, we need to take in account the human behaviour, and not being an expert human behavioral analyst, I know that
> people fix things when broken and not when it's working. So getting a 100% of people's attention to fix something not broken is
> almost impossible. 
> 
> Agreed.
>
>       When we talk to ISP about this issue, the smaller ones just turn DNSSEC validation off because it's easier. 
> 
> Not just the smaller ones. I’ve been told one of the largest ISPs in the world turned off DNSSEC until after the KSK rollover.

That's quite the disservice to their customers.

> Agreed. The question we are trying to answer is that given this, and given we now have objective data that strongly suggests there are
> folks who are NOT ready, what is the criteria by which we move ahead?

I think the ISP nameserver case is the easy part. They either upgrade,
automatically or manually, or turn it off. Any outage caused by their
lack of DNS server management skills wil cause outages that will get
fixed quickly when customer service starts receiving support calls.

Trickier is the enterprise deployments that are not aware of DNS at
all. They have something that works now, and it will just break. The
problem here is that we cannot do more then warn and watch.

How does the ksk-sentinel draft change this? Would we get more
useful data ? If so, how long do we need to wait to get that
additional new data?

> 1) “we need to go ahead with the roll over”

We did measurements that caused us to hit pause. I'd like to know more
about these measurements now. Is the situation getting better or is
it unchanged? If so, what efforts have we done to pinpoint the issue.
If this is some common framework (an OS vendor, a docker image, a
commonly used AMI image) can we get them to fix it?

Once we know this, we have a better idea on whether waiting is going
to be helpful or not.

> I am personally unaware that of any noticeable change in the trust associated with DNSSEC as a result of the (lack of) KSK rollover.
> Within security knowledgeable folks, I do know that trust in DNSSEC has been _increased_ a bit by the move by Verisign from a 1024 bit
> ZSK to a 2048 bit ZSK, but that’s obviously unrelated to the KSK rollover. What data do you have that trust has decreased due to the
> lack of KSK rollover?

Fully agree.

So to summarize, I'd like to see the delta in knowledge between when
we hit the pause button and now, to see if we are getting better
informed or not.

Paul