[Comments-ksk-rollover-restart-01feb18] Comment on the KSK rollover plan

Barry Leiba barryleiba at computer.org
Tue Mar 13 20:20:52 UTC 2018


I observe that:

1. The current data leads me to understand that fairly few actual
users will be affected because their service providers are not
properly prepared for the rollover.

2. Even for those users who are affected, the affect will not be to
deny them access to the Internet, but, rather, to cause a fallback to
insecure DNS.

3. That fallback is, while not ideal, not devastating, and…

4. …the issues will almost certainly be resolved quickly.

5. Delaying the rollover by 3 months, or 6, or 9, is not likely to
make a significant difference in preparedness; we’ve been planning
this for long enough to lead to the conclusion that anyone unprepared
will continue to be unprepared until they are forced to correct that.

6. Doing this first-time KSK rollover is critical to show that we can
do it and to gather experience to make it possible to do regular
5-year rollovers as originally planned.

7. Not doing the rollover prevents us from gathering that experience
and prevents us from being prepared should a rollover actually be
necessary in the future because of a compromised key.

I conclude that the risk of not doing the rollover forthwith far
exceeds the risk of doing it.  I urge ICANN to continue with the plan
to roll the root zone KSK on 11 October.

-- 
Barry Leiba  (barryleiba at computer.org)
http://internetmessagingtechnology.org/


More information about the Comments-ksk-rollover-restart-01feb18 mailing list