[ksk-rollover] Starting discussion on acceptable criteria for proceeding with the root KSK roll

Doug Barton dougb at dougbarton.email
Sat Jan 6 22:36:26 UTC 2018 

David, thanks for the reply. Some responses below.

On 01/05/2018 10:42 AM, David Conrad wrote:
> Doug,
>
> On January 4, 2018 at 11:50:02 PM, Doug Barton (dougb at dougbarton.email 
> <mailto:dougb at dougbarton.email>) wrote:
>> Since a little before September when the 8145 data started rolling in
>> all I've heard discussed is the risk to the deployed base if we do the
>> roll and their stuff breaks. But there is another, arguably greater risk
>> that is not being discussed, what happens if we get ourselves into a
>> position where we are forced to do an emergency roll? (The common
>> scenarios for that are key compromise, which is very unlikely but not
>> impossible, and alg failure.)
>
> If they key gets lost or compromised, my understanding is that we 
> cannot use RFC 5011 to do the roll and must fall back to doing an 
> out-of-band key rollover. We aren’t really exercising this under this 
> iteration of the community defined KSK rollover plan.
>

Correct, but we're well past the point where we can run an emergency 
roll as an exercise. When I was leading IANA and we were in the early 
stages of planning for signing the root, several of us (and I include 
myself in that group) wanted to hold the first 90 days or so after the 
signing went public as a sort of "production beta" period, and perform 
an emergency roll during that period for precisely this reason. But that 
ship sailed long ago, so at this point we are limited in what we can do.

While the current exercise won't directly address any concerns related 
to an /emergency/ roll, ANY roll at this point is better than no roll, 
because the risk of not knowing what will happen during/after a roll is 
great now, and increases daily as DNSSEC grows in importance.

>> There are only two conditions that can be true at this point:
>> […]
>> If #1 is true we should do the roll ASAP […]
>> If #2 is true we should do the roll ASAP […]
>
> As I’ve noted previously, this would appear to argue that SAC-063 
> rec#3 should not have been made and that the amount of “breakage” is 
> irrelevant. It would be nice if SSAC were to weigh in on this.
>
I was a founding member of the SSAC before I joined the ICANN staff. 
While it's been some time since I participated with them, I feel I 
understand their remit pretty well. The recommendation you refer to 
reads (sorry for any copy/paste issues):

    It is expected that there will be some issues during at least the
    first KSK rollover, and
    probably the next few.  It will not be possible to anticipate all
    the problems that may
    occur but an agreed understanding of when the rollover has affected
    operational stability
    beyond a reasonable boundary is essential so the decision to
    rollback the rollover can be
    made quickly and efficiently.

To me, that recommendation seems to provide a solid balance between 
acknowledging that there will be problems, and also taking the 
importance of stability into account by asking for both a rollback plan 
and a criteria for the rollback decision. That all seems perfectly 
reasonable and appropriate. The SSAC is asked to provide advice on 
/both/ Security and Stability. in this case, adding security (by showing 
that a 5011 roll can be performed with a minimum of disruption) requires 
a small, but necessary sacrifice in stability. That makes this issue no 
different than other, similar issues; like IPv6, IDNs, the new gTLD 
program, or even the introduction of DNSSEC itself.

At this point we have gathered as much data as we can realistically 
obtain (as you, Matt, and others have pointed out). That the data is 
both incomplete, and imperfect, is unfortunate; but inevitable given the 
state of the technology. If the reason for failing to proceed with the 
plan at this point is the data, I fear that we will never proceed, as 
there is no reasonable expectation that the data will improve in 
quality, no matter how long we wait.

It's also worth pointing out in regards to your concern about the SSAC 
recommendation that it does not call for perfect data. In fact, it 
specifically acknowledges that, "It will not be possible to anticipate 
all the problems that may occur." That point seems to bear repeating 
since i have seen several references to SSAC #063 as a reason not to 
proceed, while my reading of that document does not support that 
conclusion in any way. Like you, I think it would be useful if the 
members of the AC that worked on that document would weigh in.

At the end of the day, I sympathize with your position, David. (Perhaps 
more so than most others would be able to.) But waiting makes the 
problem worse, not better. At this point it's entirely reasonable to 
conclude that ICANN has gone above and beyond in their efforts to make 
the transition process as smooth as possible, and now it's time to move 
forward.

Warmest regards,

Doug




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20180106/f2f71677/attachment-0001.html>

More information about the ksk-rollover mailing list