[Comments-ksk-rollover-restart-01feb18] Handy Networks Comment on the KSK Rollover Process

Mon Apr 2 20:02:25 UTC 2018

I submit this comment in my professional capacity as the CEO of Handy Networks, LLC – a cloud hosting and data center based company with customers from 40+ countries.

The proposed plan states:

"Even after a concerted effort, ICANN org could often not determine which resolvers sent the message (such as when the resolver had a dynamic address), so there was no way to determine how many users would be affected by the rollover or why those resolvers had not updated their trust anchors. Additionally, even when ICANN org could identify the specific resolver, efforts to contact the operator were often unsuccessful."

Given that the outreach efforts have been “often unsuccessful,” I ask OCTO to provide more details regarding the number and methods of contact that have been used to engage operators of potentially misconfigured DNS resolvers.  I also ask that ICANN share some insight into their decision making process around why certain methods of outreach were excluded, given the importance of this issue.

I also have done a quick analysis on a set of data provided by ICANN from February 1 – February 8, 2018 concerning potentially misconfigured DNS resolvers.  I was able to draw the following observations:

  *   50% of misconfigured resolvers live in just 25 ASNs,
  *   The top 2 ASNs represent 22% of misconfigured resolvers,
  *   1900 of 2300 ASNs with misconfigured resolvers have less than 9 hosts that are improperly configured.

This analysis indicates that ICANN should adopt a more comprehensive outreach strategy, relative to the criticality of certain ASNs.  Specifically, ICANN should consider adopting more comprehensive outreach methods to reach misconfigured DNS resolver operators, utilizing a combindation of direct manual outreach to the ASNs with the highest density of issues, indirect outreach through RIRs, ISCO, NOGs, and automated outreach efforts to operators using WHOIS and rWHOIS data that is publically availabile.

Furthermore, ICANN should embrace the data it is in possession of and create a publically available status page that provides aggregate metrics and trending about the number of potentially misconfigured DNS resolvers.  Additionally, ICANN should also consider creating a web service that network operators could interact with to get detailed information about potentially misconfigured hosts on their networks.

-----
Jay Sudowski // Handy Networks LLC // Co-Founder & CEO

Providing Dedicated Server, IaaS and
Colocation Hosting Solutions
Tel: 303-414-6902  | Cell: 720-544-1485 | Fax: 303-414-6912
www.handynetworks.com<http://t.sidekickopen04.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XZsQBlxzW2BV-YF7fRDsFVdntBW56dNh4f8d2pr202?t=http%3A%2F%2Fwww.handynetworks.com%2F&si=5886527083905024&pi=401fe9ae-b24d-41c5-ab3a-1aef8d834c86>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/comments-ksk-rollover-restart-01feb18/attachments/20180402/93ab8738/attachment-0001.html>