[ksk-rollover] [Ext] Re: Starting discussion on acceptable criteria for proceeding with the root KSK roll

David Conrad david.conrad at icann.org
Tue Jan 9 00:26:38 UTC 2018


On January 7, 2018 at 12:54:49 PM, S Moonesamy (sm+icann at elandsys.com<mailto:sm+icann at elandsys.com>) wrote:
The first KSK was introduced in 2010. That statement is about doing
a KSK after five years. I multiplied the duration by two, hence the year 2020.

I don’t think the idea was that there would be a slot every 5 years and if we missed a slot, we’d have to wait until the next slot 5 years later (or, alternatively, that we’d have to accelerate the next roll to be less than 5 years if the roll took time). I would presume that without further direction by the community, the next roll will occur 5 years after we put KSK-2017 into operation. The question here is when will we be putting KSK-2017 into operation.

There was a discussion about the rollover in 2013. The delays since
them could be interpreted as meaning that the KSK roll is
indefinitely postponed. At some point there may be discussions about
whether all this is reliable.

We were on track to roll the KSK on 11 Oct 2017. We postponed the roll as a result of new information days before we were intending to move forward. Suggesting that this means an indefinite postponement seems a bit of a reach to me.

The (8%) number is not meaningful if I cannot explain it in an easily
understandable manner.

To be clear: the 8% number reflects the percentage of resolvers reporting according to RFC 8145 that have only KSK-2010 configured and which presumably would be unable to validate if we roll the KSK. The meaning of this is that we have concrete data that show a non-zero number of resolvers will fail, presumably impacting a non-zero number of end users. While this was suspected, prior to the RFC 8145 data, we did not have certainty. We still do not know how many end users will be impacted because we can’t tell how many end users are behind the resolvers that are reporting KSK-2010 only.

Would breaking resolution have an impact
which is similar to the 2016 Dyn outage? Would it take down a
significant part of the internet in a country?

We do not know.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20180109/cfc02709/attachment-0001.html>

More information about the ksk-rollover mailing list