[ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll

[Paul Wouters]

On Mon, 8 Jan 2018, Hugo Salgado-Hernández wrote:

> After the patch was released, how long it takes to pass downstream
> to common OS distros?

It depends. For instance for RHEL, it will be fixed in 7.5. But had
we actually not aborted the roll, Red Hat would have done a accelerated
update to fix this issue.

> At this point, 4 months later, can we assume that a competent
> operator, with current OS with updated patches, is "safe from the
> rollover"?

Yes, and not only that, for this issue we could have rolled on the
original date as well.

> I wonder if ICANN in their research and direct contact with operators
> have found evidence of any bug, outdated distros, incorrect manuals,
> bad practices, etc., that demonstrate a "structural" problem with
> rollover procedures.

That is what I asked about as well. What have they learned, and how did
they try to learn this? If it were very regional centric, did they reach
out to that region further?

How do modern deployments that include a DNS server look like? Has
anyone checked popular AMI's? Checked with openshift, openstack, docker?
Asked companies that deploy many containers how they do DNS? Or asked
the bleeding end web front/backend people what they do and how?

The only reason for waiting is to await more data. If we are not getting
new data, then based on what we know, the faulty deployments won't
vanish over time, so there is no point in waiting. Although if we do
see a decrease over time, then where is it decreasing, and can we link
some staggered decrease to the release of something opensource?

Paul