[ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll

Bob Harold rharolde at umich.edu
Fri Jan 5 19:05:37 UTC 2018

On Tue, Jan 2, 2018 at 12:06 PM, Paul Hoffman <paul.hoffman at icann.org>

> Greetings in the new year. As announced on this list (and in many other
> places) a few weeks ago, the ICANN org wants to use this list to get input
> from the community on acceptable criteria for proceeding with the root KSK
> roll. When we made that announcement, we saw a good number of new
> subscriptions to the list, but the discussion didn't start on its own, so
> we want to get that going.
> For reference, please see <https://www.icann.org/news/
> blog/update-on-the-root-ksk-rollover-project>. The relevant timing part
> from that article is:
> > The ICANN org will monitor this mailing list and beginning on 15 January
> 2018, we will develop a draft plan for proceeding with the root KSK roll
> based on the input received and discussion on the mailing list. The plan
> will be published by 31 January 2018 and undergo a formal ICANN public
> comment process to gather further input.
> We would really like to hear from you about the criteria you think would
> be relevant for us to observe/measure, if such criteria exist.
> --Paul Hoffman

This has been an interesting discussion.  My $.02...

I don't think the delay causes any significant risk or loss of trust. I
prefer the cautious approach.

If we have data, or can reasonably get data, and it seems to show
improvement, then
we should delay and continue to collect data as long as there is
'significant' improvement, or until the number or affected clients meets
SAC063 recommendation #3. I would prefer to limit the delay to one year.

If there is no data, or if the data does not show improvement, we should
set a new date for the roll and warn people that there is likely to be some
breakage, and explain how to figure out who to contact if your resolver

We need to give people some test (draft-huston-kskroll-sentinel ?) that
they can run to see if the resolvers they use are likely to break. Tell
them "run this test in the places where you use the internet, and if it
fails, let us know and also contact the internet provider at that location
to get it fixed." If the test passes, that could be a great relief to
people who are worried about their internet provider.

Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20180105/e99da082/attachment.html>

More information about the ksk-rollover mailing list