[ksk-rollover] KSK2017 Rollover was a success

Rose, Scott (Fed) scott.rose at nist.gov
Fri Mar 29 14:26:10 UTC 2019 

I agree with Olafur.  The KSK rollover should be considered an overall success.  Coming from a community where there is a vocal minority that only grudgingly deployed, if there was a significant issue with the rollover we would have heard about it.  There could be improvement, but overall it was successful.

I also agree that we should start looking at post-quantum algorithms in DNSSEC.  NIST has an effort underway now:
https://csrc.nist.gov/Topics/Security-and-Privacy/cryptography/post-quantum-cryptography  There isn’t anything available that could be suggested, but it is an effort I intend to follow.  A breakthrough in quantum computing could mean everyone needs to rapidly deploy of a new algorithm.

Scott

From: ksk-rollover <ksk-rollover-bounces at icann.org> on behalf of Ólafur Guðmundsson via ksk-rollover <ksk-rollover at icann.org>
Reply-To: Ólafur Guðmundsson <olafur at cloudflare.com>
Date: Thursday, March 28, 2019 at 7:23 AM
To: KSK Rollover <ksk-rollover at icann.org>
Subject: [ksk-rollover] KSK2017 Rollover was a success


Repeat from what I said at the microphone today

Main lesson from this roll is it worked better than we could have expected,  given this was the first time,
We expect that software/configuration has bugs/errors and this exposed some.
There might have been some configurations that did not anticipate change in the key used ==> nothing beside rolling the KSK could have exposed that.

There were some outages, there may have been some sites that turned off DNSSEC
and we need to get some measurements of what that long term effect was i.e. did the validation get turned back on.

The traffic increase reported was interesting but the big picture is it was in the NOISE range, i.e. all root servers should be able to deal with such small increase.

I have no opinion at this point when next to roll or how fast to perform that roll.

Ólafur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190329/b4a2bfa9/attachment-0001.html>

More information about the ksk-rollover mailing list