SSAC Advisory on DNSSEC Key Rollover in the Root Zone (R-2)

Date IssuedDocumentReference IDCurrent Phase

  

SSAC Advisory on DNSSEC Key Rollover in the Root Zone (R-2)SAC063

CLOSED



  1. Phase 1 Receive
  2. Phase 2 Understand
  3. Phase 3 Evaluate
  4. Phase 4 Implement
  5. Phase 5 Close
  6. Closed



Description:

ICANN staff should lead, coordinate, or otherwise encourage the creation of a collaborative, representative testbed for the purpose of analyzing behaviors of various validating resolver implementations, their versions, and their network environments (e.g., middle boxes) that may affect or be affected by a root KSK rollover, such that potential problem areas can be identified, communicated, and addressed.


STATUS UPDATES

DatePhaseTypeStatus Updates

 

ClosedPhase ChangeThis Advice Item is now Closed

 

Phase 5Board UpdateResolved (2021.05.12.16), the Board finds that ICANN org acted upon all Recommendations from SAC063, SAC073, and SAC102, as is evidenced by the successful first KSK Rollover. The Board considers SAC063, SAC073, and SAC102 to be completed. See full resolution at https://www.icann.org/resources/board-material/resolutions-2021-05-12-en#2.c.

 

Phase 5Phase UpdateMatt Larson sent a letter to Rod Rasmussen advising that SAC062 is complete (https://www.icann.org/en/system/files/correspondence/larson-to-rasmussen-13jan21-en.pdf). SAC063 Notes: On 11 October 2018, ICANN org carried out the first rollover of the root zone key signing key (KSK). The project is documented in Review of the 2018 DNSSEC KSK Rollover, published by ICANN’s Office of the Chief Technology Officer (OCTO). This successful rollover completed the remaining open recommendations from three SSAC Advisories: SAC063: SSAC Advisory on DNSSEC Key Rollover in the Root Zone, made five recommendations for actions to be taken by ICANN org related to the first root zone KSK rollover. SAC073: SSAC Comments on Root Zone Key Signing Key Rollover Plan, contained SSAC’s comments on the draft report of the root KSK rollover Design Team. SAC073 reiterated SSAC’s recommendations from SAC063 and called for ICANN org’s final plan to directly address each recommendation. SAC102: SSAC Comment on the Updated Plan for Continuing the Root KSK Rollover, was the response to the ICANN Board’s request that SSAC provide advice to the Board on the Plan for Continuing the Root KSK Rollover. SSAC advised continuing with the rollover.

 

Phase 5Phase UpdateOn 15 October 2018 ICANN org determined that the first-ever changing of the cryptographic key that helps protect the DNS has been completed with minimal disruption of the global Internet (https://www.icann.org/news/announcement-2018-10-15-en). The test pass is part of the overall KSK Rollover Project. See: https://www.icann.org/resources/pages/ksk-rollover.

 

Phase 5Phase ChangeNow in Phase 5: Close

 

Phase 4Phase UpdateThe test pas is part of the overall KSK Rollover Project. On October 11, 2018 the new KSK begins to sign the root zone key set (the actual rollover event). See: https://www.icann.org/resources/pages/ksk-rollover. On 24 June 2017, the ICANN Board accepted this advice and directed the ICANN organization to implement per the ICANN organization's recommendation (https://www.icann.org/resources/board-material/resolutions-2017-06-24-en#2.b).

 

Phase 4Phase UpdateThe test pas is part of the overall KSK Rollover Project. On October 11, 2017 the new KSK begins to sign the root zone key set (the actual rollover event). See: https://www.icann.org/resources/pages/ksk-rollover. On 24 June 2017, the ICANN Board accepted this advice and directed the ICANN organization to implement per the ICANN organization's recommendation (https://www.icann.org/resources/board-material/resolutions-2017-06-24-en#2.b).

 

Phase 4Phase ChangeNow in Phase 4: Implement

 

Phase 3Phase UpdateThe test pas is part of the overall KSK Rollover Project. See https://www.icann.org/resources/pages/ksk-rollover On 24 June 2017, the ICANN Board accepted this advice and directed the ICANN organization to implement per the ICANN organization's recommendation (https://www.icann.org/resources/board-material/resolutions-2017-06-24-en#2.b).

 

Phase 3Board UpdateResolved (2017.06.24.19), the Board adopts the SSAC recommendations outlined in the document titled "Implementation Recommendations for SSAC Advice Documents SAC062, SAC063, SAC064, SAC065, SAC070, and SAC073 (08 June 2017) [PDF, 433 KB]", and directs the CEO to implement the advice as described in the document. SAC063 Recommendation 2 proposed solution: The Office of the CTO (OCTO) Research group will continue its work, already in progress as part of the root KSK rollover project implementation, to set up a resolver testbed to study the behavior of DNSSEC validator behavior under various operational conditions. In order to make the testbed open for collaborative use, additional resources will be necessary and the testbed would need to be migrated from the OCTO lab to the Information Technology (IT) department for production use. IT, working with OCTO, will need to provide cost estimates. See full resolution at https://www.icann.org/resources/board-material/resolutions-2017-06-24-en#2.b

 

Phase 3Phase ChangeNow in Phase 3: Evaluate & Consider

 

Phase 4Board UpdateBoard consideration is complete and implementation of advice item is ongoing. Status provided in 19 October 2016 letter from ICANN Board Chair to SSAC Chair (https://www.icann.org/en/system/files/correspondence/crocker-to-faltstrom-19oct16-en.pdf). The communication plan is part of the overall KSK Rollover Project. See https://www.icann.org/resources/pages/kskrollover. The outstanding work on this advice item will be addressed through the BAR pilot process.

 

Phase 4Phase ChangeNow in Phase 4: Implement

 

Phase 3Board UpdateResolved (2013.11.21.17), the Board acknowledges the receipt of SAC 063: SSAC Advisory on DNSSEC Key Rollover in the Root Zone. Resolved (2013.11.21.18), the Board directs ICANN's President and CEO to have the SSAC's advice from this Advisory entered into the advice tracking register and to confirm with the SSAC that the entries accurately capture the advice. Resolved (2013.11.21.19), the Board directs ICANN's President and CEO to have the advice provided in SAC063 evaluated, and to produce a recommendation to the Board regarding the acceptance of that advice, no later than 90 days from the adoption of this resolution. Resolved (2013.11.21.20), in the instances where ICANN recommends that the advice be accepted, the Board directs ICANN's President and CEO to have the feasibility and costs of implementing the advice evaluated, and to provide an implementation plan with timelines and high-level milestones for review by the Board, no later than 120 days from the adoption of this resolution. See full resolution at https://www.icann.org/resources/board-material/resolutions-2013-11-21-en#2.e.

 

Phase 1Phase UpdateSSAC published SAC063: SSAC Advisory on DNSSEC Key Rollover in the Root Zone: https://www.icann.org/en/system/files/files/sac-063-en.pdf.