[ksk-rollover] Fate sharing

[Olaf Kolkman]

As I just mentioned at the #IETF104 BOF.


I think there is a fate sharing requirement to be made: DNS infrastructure (authoritative, and recursive servers) that have not bought into the DNSSEC project should not be impacted by the roll.

It would be good to understand if there where any resolvers that had resolution issues during the roll while they were not validating. I believe the examples that Geoff gave were about infrastructure that broke because validation was going on (and consequently turned off), but if it is the case that big ISPs lost connectivity while they were not doing DNSSEC validation, because of any stage in key rollover, that would be good to know.

Frederico Neves just mentioned to me that 82%+ of queries towards .BR have the DO bit set (even though they may not do validation) which means that they are somewhat bought into any effects caused by transport issues.

So maybe that the requirement above may not be realistically met.

—Olaf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190328/7b7ed045/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3723 bytes
Desc: S/MIME digital signature
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190328/7b7ed045/smime.p7s>