[Comments-ksk-rollover-restart-01feb18] KSK Rollover - Jacques Latour Comments

[Jacques Latour]

Hi,

Please roll over the KSK as per plan.
Please roll over the KSK on an annual basis (or every 2 years)
Please develop better processes to automate the KSK rollover (not 5011)
Please don't delay further!

Collateral damage of rolling the key: There will be some but it will be short lived.

We need to take in account the human behaviour, and not being an expert human behavioral analyst, I know that people fix things when broken and not when it's working.  So getting a 100% of people's attention to fix something not broken is almost impossible.

It's impossible to have 100% readiness.
The majority of DNSSEC validation today is via google DNS.

I think we need to go ahead with the roll over, have the humans fix the problems as they arise, and start re-building the trust in DNSSEC globally! (before it's too late!)

In my opinion, the uncertainty (with delaying the rollover) could start eroding the 'people' trust in DNSSEC as a technology.  The sooner we get over this hurdle the better we are.   I'm on the camp that DNSSEC is a viable technology, and we made an error in not rolling the key sooner and we need to acknowledge in advance there will be some collateral damage 'for people not running up to date stuff' but it's inevitable to bring this technology to maturity.  If we don't take this risk, might as well turn it off because people won't trust it.  Going from pulse to dial tone telephone, going from analog to digital TV, all had its share of collateral damage.  Perfection is not an option, I think we're ready, let's do it!


And we should work with all the major search engine to make the DNSSEC/DNS failure related searches are more relevant during the rollover, on terms like SERVFAIL, DNSSEC, DNS resolution failure, etc.... and links to resolve.  They won't be searching for KSK rollover and it should be mobile friendly.



The google top box (don't know what's it called) should say on DNS/DNSSEC search on the day we roll the key "We just rolled the KEY, if you're experiencing DNS issues, please ..."


Jacques



Jacques Latour - CTO
Canadian Internet Registration Authority (CIRA)
Tel: (613) 237-5335 ext.294 | www.cira.ca<http://www.cira.ca/>

[Cira K+186 H Tag]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/comments-ksk-rollover-restart-01feb18/attachments/20180314/208dfae3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 8130 bytes
Desc: image002.png
URL: <http://mm.icann.org/pipermail/comments-ksk-rollover-restart-01feb18/attachments/20180314/208dfae3/image002-0001.png>