[ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll

Warren Kumari warren at kumari.net
Mon Jan 15 20:03:07 UTC 2018

On Tue, Jan 2, 2018 at 12:06 PM Paul Hoffman <paul.hoffman at icann.org> wrote:

> Greetings in the new year. As announced on this list (and in many other
> places) a few weeks ago, the ICANN org wants to use this list to get input
> from the community on acceptable criteria for proceeding with the root KSK
> roll. When we made that announcement, we saw a good number of new
> subscriptions to the list, but the discussion didn't start on its own, so
> we want to get that going.
> For reference, please see <
> https://www.icann.org/news/blog/update-on-the-root-ksk-rollover-project>.
> The relevant timing part from that article is:
> > The ICANN org will monitor this mailing list and beginning on 15 January
> 2018, we will develop a draft plan for proceeding with the root KSK roll
> based on the input received and discussion on the mailing list. The plan
> will be published by 31 January 2018 and undergo a formal ICANN public
> comment process to gather further input.
> We would really like to hear from you about the criteria you think would
> be relevant for us to observe/measure, if such criteria exist.

I have been scared to open this thread, and so it's been lurking at me,
unread in my inbox...

I've had a large number of discussions on this topic over the past few
years, wearing many different hats, and over this time, the main thing I've
learnt is that this is hard :-)

I want to raise a few concerns:
1: there is a significant bias in these responses -- the discussion is
happening on the "ksk-rollover mailing list". I just went and checked, and
I know between 2/3rd and 3/4 of the members of this list (or they are
@verisign or @icann). We definitely fall into the "weird DNSSEC crowd", and
are not representative of the average resolver operator/user. I have no
idea which way the bias leans, but I have a hard time believing that people
on a list devoted to key rolling have none :-)

2: The instances that concern me are not the large ISPs or public open
resolvers - instead it is the people who listened to all of our
proselytization, turned on DNSSEC at their employer... and then left... and
now no-one there knows what this DNS thingie is.
My wife handles IT for a number of small companies, and this sort of thing
is sadly common - there will be a box in a corner which no-one knows what
it does, but 'if the Internets stops, you turn it off and on again, and
then the Internets works again'. This is in the same bucket as "We
installed a DNS appliance. Look at the flashy lights!" -- sadly this scene
from the IT Crowd describes many small companies:

3: I'm only slightly worried about the actual breakage; I'm much more
concerned about the PR fallout from the breakage -- when ICANN looked at
the data, and made the (responsible) decision to pause and reconsider the
roll timing, the press went somewhat nuts.
When the roll happens, and someone's auntie is not able to reach www.cnn.com,
this won't be "Auntie Mae updates key", it will instead be "Critical
Internet Security Flaw Breaks Internet. ICANN, the organization responsible
for running the Internet, today broke the Internet for an unknown number of
users. When interviewed, Mae West said ...".
I'm glad to see ICANN asking for the community's feedback on this, and that
there will be a public comment period; this obviously won't stop the press
from turning any issues into a story, but at least we can say "ICANN asked
the community, and then asked again, and then published the plan. It wasn't
in a disused lavatory with a sign on the door saying 'Beware of the
Leopard.", it was here <link>. We did what the community asked....".

As for the actual question you asked -- I personally think that the data
which draft-ietf-dnsop-kskroll-sentinel will eventually produce will be
useful, but I'm a: biased and b: don't know when this would be available,
not how much of you you'd need before making a decision. I'm punting on the
actual criteria; you're welcome!


> --Paul Hoffman
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20180115/ba350d7e/attachment.html>

More information about the ksk-rollover mailing list