[RZERC] RZERC advice to the Board on KSK rollover

Sat Jun 23 11:32:11 UTC 2018

> On 19 Jun 2018, at 19:11, Russ Mundy <mundy at tislabs.com> wrote:
> 
> Since changing the root KSK may impact DNS users doing DNSSEC validation, I see the question from the Board is very much within the scope of our charter.

Sorry Russ, I’m still not convinced. We can throw rotting fruit at each other on Monday. :-)

IMO the rollover isn’t a major change to the root (or shouldn’t be) and is therefore out of scope for RZERC. This should be a routine change, just like tweaking the NS records and glue for a delegation or renumbering a root server. RZERC wouldn’t get involved in these matters. I think a KSK rollover would be in scope for us if it meant adding a new RRtype or a change of crypto algorithm or the newly signed responses had the potential to cause more fragmentation issues. A “routine” rollover -- albeit that the upcoming one will be the very first -- doesn’t pass that threshold. YMMV.

I suppose this comes down to how we or others see RZERC’s role wrt root zone content. Or what is meant by root zone content.

If we provide a substantive response to the Board request -- BTW please note I agree RZERC has to reply -- that will almost certainly mean we get asked about every future KSK rollover. I think that would stray too far into operational details which are even more out of scope for RZERC.

To an extent, I’m playing devil’s advocate here in the hope of getting clarity and consensus on our role and the nature of the advice we’re expected to offer about this matter. 