SSAC Advisory on DNSSEC Key Rollover in the Root Zone (R-5)
| Date Issued | Document | Reference ID | Current Phase |
|---|---|---|---|
| SSAC Advisory on DNSSEC Key Rollover in the Root Zone (R-5) | SAC063 | CLOSED |
Description:
ICANN staff should lead, coordinate, or otherwise encourage the collection of as much information as possible about the impact of a KSK rollover to provide input to planning for future rollovers.
STATUS UPDATES
| Date | Phase | Type | Status Updates |
|---|---|---|---|
| Closed | Phase Change | This Advice Item is now Closed |
| Phase 5 | Board Update | Resolved (2021.05.12.16), the Board finds that ICANN org acted upon all Recommendations from SAC063, SAC073, and SAC102, as is evidenced by the successful first KSK Rollover. The Board considers SAC063, SAC073, and SAC102 to be completed. See full resolution at https://www.icann.org/resources/board-material/resolutions-2021-05-12-en#2.c. |
| Phase 5 | Phase Update | Matt Larson sent a letter to Rod Rasmussen advising that SAC062 is complete (https://www.icann.org/en/system/files/correspondence/larson-to-rasmussen-13jan21-en.pdf). On 11 October 2018, ICANN org carried out the first rollover of the root zone key signing key (KSK). The project is documented in Review of the 2018 DNSSEC KSK Rollover, published by ICANN’s Office of the Chief Technology Officer (OCTO). This successful rollover completed the remaining open recommendations from three SSAC Advisories: SAC063: SSAC Advisory on DNSSEC Key Rollover in the Root Zone, made five recommendations for actions to be taken by ICANN org related to the first root zone KSK rollover. SAC073: SSAC Comments on Root Zone Key Signing Key Rollover Plan, contained SSAC’s comments on the draft report of the root KSK rollover Design Team. SAC073 reiterated SSAC’s recommendations from SAC063 and called for ICANN org’s final plan to directly address each recommendation. SAC102: SSAC Comment on the Updated Plan for Continuing the Root KSK Rollover, was the response to the ICANN Board’s request that SSAC provide advice to the Board on the Plan for Continuing the Root KSK Rollover. SSAC advised continuing with the rollover. |
| Phase 5 | Phase Update | On 15 October 2018 ICANN org determined that the first-ever changing of the cryptographic key that helps protect the DNS has been completed with minimal disruption of the global Internet (https://www.icann.org/news/announcement-2018-10-15-en). The data collection program is part of the overall KSK Rollover Project. See: https://www.icann.org/resources/pages/ksk-rollover. |
| Phase 5 | Phase Change | Now in Phase 5: Close |
| Phase 4 | Phase Update | The communication plan is part of the overall KSK Rollover Project. On October 11, 2017 the new KSK begins to sign the root zone key set (the actual rollover event). See: https://www.icann.org/resources/pages/ksk-rollover. On 24 June 2017, the ICANN Board accepted this advice and directed the ICANN organization to implement per the ICANN organization's recommendation (https://www.icann.org/resources/board-material/resolutions-2017-06-24-en#2.b). |
| Phase 4 | Phase Change | Now in Phase 4: Implement |
| Phase 3 | Phase Update | The communication plan is part of the overall KSK Rollover Project. See https://www.icann.org/resources/pages/ksk-rollover The ICANN organization understands recommendation 5 of SAC063 to indicate staff should collect as much information as possible about the impact of the KSK rollover so that data can be analyzed by DNS experts and made available to the community to facilitate planning for future rollovers. This recommendation is understood to mean that data about the events surrounding the roll of the trust anchor must be collected and should be archived to facilitate planning for future rollovers. On 24 June 2017, the ICANN Board accepted this advice and directed the ICANN organization to implement per the ICANN organization's recommendation (https://www.icann.org/resources/board-material/resolutions-2017-06-24-en#2.b). |
| Phase 3 | Board Understanding | The ICANN organization understands recommendation 5 of SAC063 to indicate staff should collect as much information as possible about the impact of the KSK rollover so that data can be analyzed by DNS experts and made available to the community to facilitate planning for future rollovers. This recommendation is understood to mean that data about the events surrounding the roll of the trust anchor must be collected and should be archived to facilitate planning for future rollovers. |
| Phase 3 | Board Update | Resolved (2017.06.24.19), the Board adopts the SSAC recommendations outlined in the document titled "Implementation Recommendations for SSAC Advice Documents SAC062, SAC063, SAC064, SAC065, SAC070, and SAC073 (08 June 2017) [PDF, 433 KB]", and directs the CEO to implement the advice as described in the document. SAC063 Recommendation 5 proposed solution: The Office of the CTO (OCTO) Research group and IANA staff have planned and are now implementing the project to roll the root zone’s KSK. The project plan already includes steps to monitor the effects of the rollover. The OCTO Research group is already collecting traffic to multiple root name servers and will continue to do so through the duration of the project. OCTO Research is also gathering and analyzing other relevant data, such as RSSAC002 statistics reported by most root operators. Portions of data collected will be made available. The OCTO Research and Public Technical Identifier (PTI) staff anticipate writing a report at the conclusion of the project documenting experiences, including observations regarding the impact of the rollover, to aid in planning future rollovers. See full resolution at https://www.icann.org/resources/board-material/resolutions-2017-06-24-en#2.b |
| Phase 3 | Phase Change | Now in Phase 3: Evaluate & Consider |
| Phase 4 | Board Update | Board consideration is complete and implementation of advice item is ongoing. Status provided in 19 October 2016 letter from ICANN Board Chair to SSAC Chair (https://www.icann.org/en/system/files/correspondence/crocker-to-faltstrom-19oct16-en.pdf). The communication plan is part of the overall KSK Rollover Project. See https://www.icann.org/resources/pages/kskrollover. The outstanding work on this advice item will be addressed through the BAR pilot process. |
| Phase 4 | Phase Change | Now in Phase 4: Implement |
| Phase 3 | Board Update | Resolved (2013.11.21.17), the Board acknowledges the receipt of SAC 063: SSAC Advisory on DNSSEC Key Rollover in the Root Zone. Resolved (2013.11.21.18), the Board directs ICANN's President and CEO to have the SSAC's advice from this Advisory entered into the advice tracking register and to confirm with the SSAC that the entries accurately capture the advice. Resolved (2013.11.21.19), the Board directs ICANN's President and CEO to have the advice provided in SAC063 evaluated, and to produce a recommendation to the Board regarding the acceptance of that advice, no later than 90 days from the adoption of this resolution. Resolved (2013.11.21.20), in the instances where ICANN recommends that the advice be accepted, the Board directs ICANN's President and CEO to have the feasibility and costs of implementing the advice evaluated, and to provide an implementation plan with timelines and high-level milestones for review by the Board, no later than 120 days from the adoption of this resolution. See full resolution at https://www.icann.org/resources/board-material/resolutions-2013-11-21-en#2.e. |
| Phase 1 | Phase Update | SSAC published SAC063: SSAC Advisory on DNSSEC Key Rollover in the Root Zone: https://www.icann.org/en/system/files/files/sac-063-en.pdf. |
