[RZERC] RZERC advice to the Board on KSK rollover

Tue Jun 19 18:11:40 UTC 2018

Jim/Duane/all,

I apologize for the slow response to this chain but I do think it’s important for RZERC to respond to the Board resolution for a couple of reasons:

- First, as far as I can recall, this is the first direct request from the Board to RZERC for our advice on anything so we really do need to respond;

- Second, this is a real opportunity for RZERC to decide whether or not we should speak on a particular topic/question.

Based on our last call, I don’t think that anyone is opposed to responding to the Board’s request (the first point above) so the challenge becomes what do we think that RZERC should say (second point above)?

See more thoughts inline below:

> On Jun 18, 2018, at 3:51 PM, Jim Reid <jim at rfc1035.com <mailto:jim at rfc1035.com>> wrote:
> 
> 
> 
>> On 13 Jun 2018, at 00:47, Wessels, Duane via RZERC <rzerc at icann.org <mailto:rzerc at icann.org>> wrote:
>> 
>> As I see it, RZERC must first agree on whether or not the requested advice is within its scope.  During our brief previous discussion I heard  some member advocate for giving advice with specific recommendations while others felt perhaps we should politely decline.

I think that we’re obligated to respond but the response might provide advice or not provide any advice (for various potential reasons).

>> 
>> Since the timeframe is relatively short, I propose we try to reach consensus here on the list on the scope question.  If we agree it is in-scope then we can use some time at our next regular meeting (Panama) to draft a response.
> 
> Duane/all, I’m unsure whether RZERC should comment on the planned rollover. This seems to be out of scope. IMO the proposed rollover isn’t a "major architectural change to the DNS root”. Perhaps a future KSK rollover would represent such a change if that meant moving to a different crypto algorithm (say) and/or resulted in a bigger signed response that could have a significant operational impact.

I think that I mostly disagree with Jim’s description here (sorry Jim).  I read our charter again and I think that both the first and third paragraphs of the Scope of Responsibility puts the question clearly in our scope - in particular, the portions that talk about content of the root zone (which the root KSK clearly is part of) and the "security, stability or resiliency risks to the architecture _and_operation_ of the DNS root zone.” (emphasis added by me).  Since changing the root KSK may impact DNS users doing DNSSEC validation, I see the question from the Board is very much within the scope of our charter.

> 
> However I could be persuaded to change my mind if someone could explain why sending the board a “meh” response wouldn’t be acceptable or appropriate.

I hope that I’ve persuaded Jim (& others :-) that the question is within our scope.

> 
> I have asked the IAB for their comments on this topic and here’s what they have to say:
> 
>> We've discussed it internally, and the basic message appears to be that you have to do it some time, because you'll eventually need it to get cryptographic agility, so they should proceed with all deliberate speed.  Once they have done it, we think they should do it frequently enough that it isn't a huge guessing game about the state of the codebase's coverage.  
>> 
>> Assessing the operational readiness we didn't feel we had much particular insight into, which is why we didn't say anything out loud in response to the last white paper.
> 
> If RZERC does make a substantive response to the board’s request, I hope this will incorporate the IAB’s perspective above.

The input from the IAB seems reasonable to me.

Russ

> _______________________________________________
> RZERC mailing list
> RZERC at icann.org <mailto:RZERC at icann.org>
> https://mm.icann.org/mailman/listinfo/rzerc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/rzerc/attachments/20180619/5361093b/attachment.html>