(Apologies if you see this message more than once. Warren thought it should be posted here, too.)
Folks, Please permit me to point you to a posting on the icann.org <http://icann.org/> blog about the root KSK roll that just went live: https://www.icann.org/news/blog/announcing-draft-plan-for-continuing-with-the-ksk-roll <https://www.icann.org/news/blog/announcing-draft-plan-for-continuing-with-the-ksk-roll> As promised back in December, we listened to community feedback and made a draft plan for continuing with the root KSK roll: https://www.icann.org/en/system/files/files/plan-continuing-root-ksk-rollover-01feb18-en.pdf <https://www.icann.org/en/system/files/files/plan-continuing-root-ksk-rollover-01feb18-en.pdf> It's important to point out that the plan is only a draft and subject to further community review and comment. We're running a formal ICANN public comment period on it: https://www.icann.org/public-comments/ksk-rollover-restart-2018-02-01-en <https://www.icann.org/public-comments/ksk-rollover-restart-2018-02-01-en> I encourage you to please take the time to submit feedback through this process to let us know what you think of the plan and the proposed (not yet final) rescheduled date for the root KSK roll of October 11, 2018. Matt Announcing Draft Plan For Continuing With The KSK Roll By Matt Larson, VP of Research, Office of Chief Technology Officer A formal ICANN public comment <https://www.icann.org/public-comments/ksk-rollover-restart-2018-02-01-en> period has been opened to receive community input on a draft plan <https://www.icann.org/en/system/files/files/plan-continuing-root-ksk-rollover-01feb18-en.pdf> to proceed with the KSK rollover project. This comment period will run until 1 April 2018 and we are eager to receive any and all comments. The plan calls for rolling the root zone KSK on 11 October 2018 (one year later than originally planned), continuing extensive outreach to notify as many resolver operators as possible, and publishing more observations of the RFC 8145 trust anchor report data. Additional details are contained within the plan. In addition, we are planning a session at ICANN61 in Puerto Rico, to further discuss the plan and obtain additional feedback. The draft plan follows our posting <https://www.icann.org/news/blog/update-on-the-root-ksk-rollover-project> in late December, in which the ICANN organization announced next steps in the process to resume the root KSK rollover project. We described our efforts to track down the operators of DNS resolvers that were not ready for the rollover. Using a protocol described in RFC 8145 <https://tools.ietf.org/rfc/rfc8145.txt>, these problematic resolvers had reported to the root servers a trust anchor configuration with only the current KSK (known as KSK-2010) and not the newer KSK (known as KSK-2017). In our December posting we also detailed the difficulty in contacting operators, and noted that when we were able to reach an operator, we learned that there were a variety of causes for the resolver’s lagging configuration. The bottom line is that these findings did not afford much clarity as to the next steps for mitigating specific causes nor did they afford any guidance for appropriate messaging. Faced with this situation, we announced our intention to solicit input from the community on acceptable criteria for proceeding with the root KSK roll. Since that posting in December, a robust community discussion ensued between interested community members. There was agreement during these discussions that there is no way to accurately measure the number of users who would be affected by rolling the root KSK, even though there was a belief that better measurements may become available for future KSK rollovers. The consensus of those involved in the discussions was that the ICANN org should proceed with rolling the root zone KSK in a timely fashion while continuing outreach to ensure that the word of the rollover reach as wide an audience as possible. We look forward to continuing to work with the ICANN community to roll the root zone KSK.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
