[ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll

[Paul Wouters]

On Fri, 5 Jan 2018, S Moonesamy wrote:

> At 04:19 PM 04-01-2018, Geoff Huston wrote:
>> Carlos, (I'm asking because you posted a "me too") what is the data set you 
>> are using to justify this call to be "over soon"?? It seems to me that in 
>> the absence of new data, the only changed factor is your own appetite for 
>> risk. Without additional data, your tolerance for risk appears to increase 
>> over time (*). But is this altered personal perception of the risk 
>> sufficient motivation to proceed? Objectively, if the numbers in September 
>> 2017 gave sufficient grounds to pause, and the numbers haven't changed (**) 
>> then surely the grounds for pausing the operation as as strong now as they 
>> were in September (***).
>
> There is the following in the KSK rollover plan: "The Design Team is unaware 
> of what specific objectives would be achieved by delaying a KSK roll".  The 
> plan was put on hold because of the data from September 2017.  At the moment 
> it is unknown if/when there will be a KSK roll.  Is not doing a KSK roll by 
> 2020 [1] a viable option?

As a Design Team member, let me say that the Design Team no longer really
exists, and that we did not call for the delay.

At the time, there were no statistics to base and decision on. We have
some now from Sep 2017. It would be nice to get more. I understand ICANN
was also trying to find out more and hired people to do so. What
happened to that effort? Do we have new data? Do we have new sources of
bad behaviour (eg software versions, OS versions, other issues?). Have
we ruled out any software design/deployment issues?

If we are waiting on more data, lets finish with the data. If we are not
gathering more data, then there isn't any point in waiting.

As for the voices of dnssec critics, most of that is so biased that
there isn't much point of considering it. Or as Taylor Swift wisely
said, Haters gonna hate hate hate hate.

Paul