[Comments-ksk-rollover-restart-01feb18] Plan for Continuing the Root KSK Rollover

[Joe Abley]

Afilias has reviewed the document “Plan for Continuing the Root KSK Rollover” published by the ICANN Office of the CTO on 1 February 2018, as well as the public outreach that continues to be carried out by ICANN on this subject.

Afilias has considerable experience managing KSK rollovers in top-level domain and other zones, e.g. as part of the regular transition of TLDs to Afilias registry management, ensuring that our technical staff have operational confidence in the processes involved. As a leading supporter of DNSSEC deployment, we understand the operational importance of proper key management and the root zone is not an exception.

We believe that the depth of consideration that has been given by ICANN to the potential outcomes of the root zone KSK rollover is appropriate and sufficient. However, after extensive analysis it seems clear today that the data sets that caused ICANN to exercise caution are noisy and ambiguous, and do not contain clear evidence that significant negative end-user impact is likely.

We also believe that there is a significant and larger risk in not rolling the KSK. There is important work that remains to be done relating to both scheduled and emergency Root KSK Rollover that cannot reasonably proceed until this work is done. ICANN’s cryptographic asset management is of a very high standard; however, the lack of a demonstrated ability to execute both scheduled and emergency KSK Rollover with confidence presents a significant gap.

In our considered opinion, a balanced risk assessment supports the prompt execution of the Plan for Continuing the Root KSK Rollover without further delay.

Afilias further recommends that ICANN facilitates planning and community consultation on measurement of and improvements to the many technical mechanisms involved in KSK Rollover, and establishes a regular cadence for future scheduled Root KSK Rollovers.

Regards,


Joe Abley
Infrastructure Scientist
Afilias