[ksk-rollover] KSK Roll outreach to enterprise DNS operators

Kal Feher icann at feherfamily.org
Fri Nov 9 01:59:40 UTC 2018

I raised this topic at the IETF103 ksk roll meeting (Wednesday edition).
I was asked to submit this to the list so here it is.
I'd spoken to a lot of non-ISP DNS operators prior to the 2017 roll date
and again prior to the actual 2018 roll. These resolver operators would
fall into two categories:
* Government agencies
* Enterprise IT
While some had heard of DNSSEC, most were unaware of the key roll (true
for 2017 and 2018). There were several cases where the operator was
validating but was entirely unaware of that fact. They'd deployed DNS
software somewhat recently and accepted the defaults.

I'm taking into consideration Geoff's point that it might take 3 or more
roll over attempts to achieve truly smooth roll overs. So if we agree
that at least the next two rolls (plus or including algo roll) require
operator awareness, I have two points related to the lack of awareness
amongst this specific kind of non DNS expert operators:

1. I think ICANN's outreach needs to include focus on channels consumed
by enterprise IT operators. More mainstream media should be involved.
This might cost money if it requires paid for articles. Many enterprise
technology companies disseminate updates and industry trend information
via their certification and software subscription membership channels.
Ideally the next key roll could feature prominently in those materials.
2. A regular key roll schedule might help ease the communication burden
for any one key roll. In some ways it will allow us to benefit from
previous outreach efforts, if those efforts draw people's attention to a
calendar of key rolls. Even a rough calendar would help. Ideally it has
a permanent web location.

I'm aware that there are challenges faced with getting ICANN's board to
commit to a roll over well before the date, much less a rough schedule.
However I think most outreach efforts will be more effective if
conducted after the board has approved a roll. 

Of course, the true goal should be for no one to need to know that a
roll over will occur.

Kal Feher
Melbourne, Australia

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20181109/fba80f5e/signature.asc>

More information about the ksk-rollover mailing list