[ksk-rollover] [Ext] Re: Starting discussion on acceptable criteria for proceeding with the root KSK roll

S Moonesamy sm+icann at elandsys.com
Sun Jan 7 20:19:46 UTC 2018

Hi David,
At 09:37 AM 07-01-2018, David Conrad wrote:
>Yes. But I'm still not seeing where 2020 comes in. All the above is 
>saying is that the 2010 KSK was in a position to be rolled after 2015.

The first KSK was introduced in 2010.  That statement is about doing 
a KSK after five years.  I multiplied the duration by two, hence the year 2020.

There was a discussion about the rollover in 2013.  The delays since 
them could be interpreted as meaning that the KSK roll is 
indefinitely postponed.  At some point there may be discussions about 
whether all this is reliable.

>Sorry, where are you getting your numbers?

The numbers are from 

>To be clear, we're now seeing about 8% of the RFC 8145-reporting 
>resolvers (which is, of course, a subset of all validating 
>resolvers) indicating they're configured for only KSK-2010. The 
>issue is that we have no good idea of figuring out how many end 
>users that percentage is representing and what the implications of 
>breaking resolution for those end users will be.

According to data published by APNIC, 10.82% of DNSSEC validation 
worldwide is from Google Public DNS.  It should be possible to take 
that number out of the equation by talking with someone at Google.

The (8%) number is not meaningful if I cannot explain it in an easily 
understandable manner.   Would breaking resolution have an impact 
which is similar to the 2016 Dyn outage?  Would it take down a 
significant part of the internet in a country?

S. Moonesamy 

More information about the ksk-rollover mailing list