[ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll

Bob Harold rharolde at umich.edu
Tue Jan 16 20:48:18 UTC 2018

On Mon, Jan 15, 2018 at 3:03 PM, Warren Kumari <warren at kumari.net> wrote:

> On Tue, Jan 2, 2018 at 12:06 PM Paul Hoffman <paul.hoffman at icann.org>
> wrote:
>> Greetings in the new year. As announced on this list (and in many other
>> places) a few weeks ago, the ICANN org wants to use this list to get input
>> from the community on acceptable criteria for proceeding with the root KSK
>> roll. When we made that announcement, we saw a good number of new
>> subscriptions to the list, but the discussion didn't start on its own, so
>> we want to get that going.
>> For reference, please see <https://www.icann.org/news/
>> blog/update-on-the-root-ksk-rollover-project>. The relevant timing part
>> from that article is:
>> > The ICANN org will monitor this mailing list and beginning on 15
>> January 2018, we will develop a draft plan for proceeding with the root KSK
>> roll based on the input received and discussion on the mailing list. The
>> plan will be published by 31 January 2018 and undergo a formal ICANN public
>> comment process to gather further input.
>> We would really like to hear from you about the criteria you think would
>> be relevant for us to observe/measure, if such criteria exist.
> I have been scared to open this thread, and so it's been lurking at me,
> unread in my inbox...
> I've had a large number of discussions on this topic over the past few
> years, wearing many different hats, and over this time, the main thing I've
> learnt is that this is hard :-)
> I want to raise a few concerns:
> 1: there is a significant bias in these responses -- the discussion is
> happening on the "ksk-rollover mailing list". I just went and checked, and
> I know between 2/3rd and 3/4 of the members of this list (or they are
> @verisign or @icann). We definitely fall into the "weird DNSSEC crowd", and
> are not representative of the average resolver operator/user. I have no
> idea which way the bias leans, but I have a hard time believing that people
> on a list devoted to key rolling have none :-)
> 2: The instances that concern me are not the large ISPs or public open
> resolvers - instead it is the people who listened to all of our
> proselytization, turned on DNSSEC at their employer... and then left... and
> now no-one there knows what this DNS thingie is.
> My wife handles IT for a number of small companies, and this sort of thing
> is sadly common - there will be a box in a corner which no-one knows what
> it does, but 'if the Internets stops, you turn it off and on again, and
> then the Internets works again'. This is in the same bucket as "We
> installed a DNS appliance. Look at the flashy lights!" -- sadly this scene
> from the IT Crowd describes many small companies:
> https://www.youtube.com/watch?v=12LLJFSBnS4
> 3: I'm only slightly worried about the actual breakage; I'm much more
> concerned about the PR fallout from the breakage -- when ICANN looked at
> the data, and made the (responsible) decision to pause and reconsider the
> roll timing, the press went somewhat nuts.
> When the roll happens, and someone's auntie is not able to reach
> www.cnn.com, this won't be "Auntie Mae updates key", it will instead be
> "Critical Internet Security Flaw Breaks Internet. ICANN, the organization
> responsible for running the Internet, today broke the Internet for an
> unknown number of users. When interviewed, Mae West said ...".
> I'm glad to see ICANN asking for the community's feedback on this, and
> that there will be a public comment period; this obviously won't stop the
> press from turning any issues into a story, but at least we can say "ICANN
> asked the community, and then asked again, and then published the plan. It
> wasn't in a disused lavatory with a sign on the door saying 'Beware of the
> Leopard.", it was here <link>. We did what the community asked....".
> As for the actual question you asked -- I personally think that the data
> which draft-ietf-dnsop-kskroll-sentinel will eventually produce will be
> useful, but I'm a: biased and b: don't know when this would be available,
> not how much of you you'd need before making a decision. I'm punting on the
> actual criteria; you're welcome!
> W
>> --Paul Hoffman
As I understand it, draft-huston-kskroll-sentinel could be set up by one
person.  And then anyone could use it for testing.  So I think it should be
set up (by someone better at DNSSEC than I) and publicized as part of the
announcement of a new roll date - "here is how you test if it will affect
you, and here is how to find your resolver operator if it fails"

If it could be tested broadly with an online browser ad campaign, that
would be great.

Also, the data gathered was used to try to contact resolver operators to
find out why they were not updated, but the finding was that they were
difficult to contact, and there was no apparent common cause.  So the data
was less helpful than they had hoped.  Waiting for more data seems unlikely
to help.

Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20180116/a76b8243/attachment.html>

More information about the ksk-rollover mailing list