[ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll

[Stephane Bortzmeyer]

On Thu, Jan 04, 2018 at 10:01:04PM +0000,
 David Conrad <david.conrad at icann.org> wrote 
 a message of 222 lines which said:

> Just to level set and argue the extreme, if we had data that
> suggested that 100% of validating resolvers would fail, would you
> personally pull the trigger that causes the KSK rollover?

If there were this data, no, because it would mean there is a general
problem, may be a broken protocol that the IETF would need to fix. But
we are not at 100 %, we now that key rollover can work, just not for
everyone.

100 % failure is an easy case to handle: it means there is clearly a
problem, and which does not reside in the ordinary sysadmin. But we
are not in the easy case.

> This (presumably) assumes humans will fix the problems in a positive
> way. I’ll admit I suspect the more likely way of fixing DNSSEC
> rollover-caused validation failures will be to simply disable DNSSEC
> validation

Yes, this is a serious risk. On the other hand, people who still use
the old key, and did not do anything to fix the problem, will have big
trouble with DNSSEC sooner or later. So, it may be a not-so-bad thing
if they disable it.

> I am personally unaware that of any noticeable change in the trust
> associated with DNSSEC as a result of the (lack of) KSK rollover.

Several people told me "so, you are still unable to replace the
[profanity deleted] key?", laughing hard. Yes, this is anecdotal
evidence, I don't have a better one to offer.