[ksk-rollover] ICANN board meeting result and the Current status of KSK-Rollover

Anne-Marie Eklund-Löwinder anne-marie.eklund-lowinder at iis.se
Wed Sep 19 08:08:22 UTC 2018


If ICANN would have followed the DPS the key roll had already taken place, in 2015, so it seems to be room for flexibility, and 20203 might not be the perfect time span. That said, it is important to discuss what frequency for rolling keys should be optimal. When .se used to be the trust anchor for dnssec for our part of the internet, we rolled once a year. Generation of a new KSK took place every year in mid December. The validity time for a KSK was two years. This meant that we had two keys that had a validity period that overlapped with one year. The frequency was chosen by the fact that it should not be carried out to often to put a burden on resolver operators and others in the community, but often enough to make sure that the operations team didn't forget how to do it. That was of course before RFC 5011. 

I agree that a "post mortem" report about the current key rollover will be a good starting point for such discussion.

Kind regards,

Anne-Marie Eklund Löwinder
Chief Information Security Officer
IIS (The Internet Infrastructure Foundation)
Phone: +46 734 315 310

Visitors: Hammarby Kaj 10D
Mail: Box 92073, 120 07 Stockholm

> -----Ursprungligt meddelande-----
> Från: ksk-rollover <ksk-rollover-bounces at icann.org> För David Conrad
> Skickat: den 18 september 2018 17:30
> Till: Olaf Kolkman <kolkman at isoc.org>
> Kopia: KSK Rollover <ksk-rollover at icann.org>
> Ämne: Re: [ksk-rollover] ICANN board meeting result and the Current status
> of KSK-Rollover
> Hi,
> We (ICANN org) don’t have an opinion (individual staff members with their
> ICANN hats off might :)).
> As you’re probably aware, currently, the DPS states (paraphrasing) we should
> roll the KSK after 5 years from the point the KSK is put into use.  As such, the
> next roll is anticipated to be after 11 Oct 2023.
> However, as Matt said, we listen to the community. If the community would
> like us to roll more frequently, all that we in staff need to know is what that
> frequency is. There are, of course, operational costs associated with the roll,
> both at ICANN org as well as within the resolver operators community (at
> least for those folks who prefer to roll manually) that will vary depending on
> roll frequency, but presumably those costs won’t be too outrageous.
> The next step would probably be to figure out how to get a consensus on
> what the frequency should be. I’d think that a 'post mortem' report about the
> current rollover would be helpful in informing that consensus. The Board has
> already task ICANN org with putting together such a post mortem (the
> analysis Matt mentioned).
> Regards,
> -drc
> 	On Sep 18, 2018, at 3:44 AM, Olaf Kolkman
> <kolkman at isoc.org <mailto:kolkman at isoc.org> > wrote:
> 	I agree with Michael, albeit I would phrase it slightly
> differently:
> 	Rolling the key regularly is a strategic choise and makes a
> keyroll an operational reality.
> 	How regular (or how frequent) is a tactic. Whether That is
> yearly, no monthly or once half a decade is a tactic that takes into account
> some of our learnings.
> 	I would really like to see that strategic position being explicit.
> 	Olaf.
> 	----
> 	Composed on mobile device, with clumsy thumbs and
> unpredictable autocorrect.
> ________________________________
> 	From: ksk-rollover <ksk-rollover-bounces at icann.org
> <mailto:ksk-rollover-bounces at icann.org> > on behalf of Michael StJohns
> <msj at nthpermutation.com <mailto:msj at nthpermutation.com> >
> 	Sent: Tuesday, September 18, 2018 5:04:31 AM
> 	To: Matt Larson
> 	Cc: ksk-rollover at icann.org <mailto:ksk-rollover at icann.org>
> 	Subject: Re: [ksk-rollover] ICANN board meeting result and the
> Current status of KSK-Rollover
> 	On 9/17/2018 3:57 PM, Matt Larson wrote:
> 	> The answer I've given when people ask this question is that
> we need to
> 	> get through the first rollover and analyze how it goes before
> we can
> 	> discuss subsequent rollovers. One can imagine that how the
> first
> 	> rollover goes could have a material effect on the timing of
> the next one.
> 	This seems like a bad approach given how that we currently
> have interest
> 	and opportunity in the roll-over that could catalyze planning
> for a
> 	second roll.  This does not - and should not - need to be single
> 	threaded.    AFAICT, you're going to know most everything you
> need to
> 	know a few seconds to a few days after you stop signing the
> the old key.
> 	So - I suggest you pick a date now.  Start planning for the next
> roll
> 	now.  If your post analysis shows a problem - adapt and
> overcome and
> 	adjust the dates if you need to.  It's hard to hit a target if you
> don't
> 	put it on calendar.
> 	Later, Mike
> 	_______________________________________________
> 	ksk-rollover mailing list
> 	ksk-rollover at icann.org <mailto:ksk-rollover at icann.org>
> 	https://mm.icann.org/mailman/listinfo/ksk-rollover
> 	_______________________________________________
> 	ksk-rollover mailing list
> 	ksk-rollover at icann.org <mailto:ksk-rollover at icann.org>
> 	https://mm.icann.org/mailman/listinfo/ksk-rollover

More information about the ksk-rollover mailing list