[ksk-rollover] [Ext] Re: Starting discussion on acceptable criteria for proceeding with the root KSK roll
Petr Špaček
petr.spacek at nic.cz
Wed Jan 17 07:39:23 UTC 2018
On 17.1.2018 02:19, Paul Hoffman wrote:
> On Jan 16, 2018, at 12:48 PM, Bob Harold <rharolde at umich.edu> wrote:
>> As I understand it, draft-huston-kskroll-sentinel could be set up by one person.
>
> That doesn't match my understanding from the draft or the clarification that Warren sent to the DNSOP WG yesterday. It has to be installed and configured in resolvers first, and then the test can be run by one person who can get folks to hit a web page or download some JavaScript.
>
> Warren, do I have that correctly?
I will reply even though I'm not Warren:
Yes, this is correct, it needs support in every validating resolver.
In other words, this mechanism suffers from the very same upgrade
problem as RFC 8145.
I've implemented a prototype of draft-huston-kskroll-sentinel for Knot
Resolver, but later I've realized that whatever we do is largely
irrelevant when it comes to collecting reliable data for *this* KSK roll.
We should go ahead and implement draft-huston-kskroll-sentinel but I do
not see it giving us data for KSK-2017 roll.
This is how I arrived to conclusion that KSK-2017 will inevitably
involve some out-of-band fixes and press coverage, similarly to any
other security issue these days.
--
Petr Špaček @ CZ.NIC
More information about the ksk-rollover
mailing list