[RZERC] RZERC advice to the Board on KSK rollover

[Jim Reid]

> On 13 Jun 2018, at 00:47, Wessels, Duane via RZERC <rzerc at icann.org> wrote:
> 
> As I see it, RZERC must first agree on whether or not the requested advice is within its scope.  During our brief previous discussion I heard  some member advocate for giving advice with specific recommendations while others felt perhaps we should politely decline.
> 
> Since the timeframe is relatively short, I propose we try to reach consensus here on the list on the scope question.  If we agree it is in-scope then we can use some time at our next regular meeting (Panama) to draft a response.

Duane/all, I’m unsure whether RZERC should comment on the planned rollover. This seems to be out of scope. IMO the proposed rollover isn’t a "major architectural change to the DNS root”. Perhaps a future KSK rollover would represent such a change if that meant moving to a different crypto algorithm (say) and/or resulted in a bigger signed response that could have a significant operational impact.

However I could be persuaded to change my mind if someone could explain why sending the board a “meh” response wouldn’t be acceptable or appropriate.

I have asked the IAB for their comments on this topic and here’s what they have to say:

> We've discussed it internally, and the basic message appears to be that you have to do it some time, because you'll eventually need it to get cryptographic agility, so they should proceed with all deliberate speed.  Once they have done it, we think they should do it frequently enough that it isn't a huge guessing game about the state of the codebase's coverage.  
> 
> Assessing the operational readiness we didn't feel we had much particular insight into, which is why we didn't say anything out loud in response to the last white paper.

If RZERC does make a substantive response to the board’s request, I hope this will incorporate the IAB’s perspective above.