AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Public Comment CloseStatement
Name 

Status

Assignee(s)

Call for
Comments Open		Call for
Comments
Close 		Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number

02 April 2018

Plan to Restart the Root Key Signing Key (KSK) Rollover Process

DRAFT

Lutz Donnerhacke

Paul Hoffman
paul.hoffman@icann.org

Hide the information below, please click here 

Brief Overview

Purpose: This Public Comment seeks public review of the plan to roll the root key signing key (KSK). The plan includes more publicity about being prepared for the rollover, analysis of the data being seen indicating the level of preparedness, and the actual rollover itself on 11 October 2018.

Current Status: The technical community discussed possible ways to determine when to roll the root KSK on the ksk-rollover@icann.org mailing list, and ICANN used that discussion as the basis for this plan.

Next Steps: ICANN organization will prepare a final plan that bases on the input from the public comments and present a full plan to the ICANN Board for approval.

Section I: Description and Explanation

The Plan for Continuing the Root KSK Rollover (https://www.icann.org/en/system/files/files/plan-continuing-root-ksk-rollover-01feb18-en.pdf [PDF, 93 KB]) describes how ICANN intends to roll the root key signing key (KSK). It is based on input from the community that followed ICANN's earlier decision to postpone the rollover. In summary, the plan is to roll the root KSK on 11 October 2018 after more publicity that is intended to help prepare operators for the rollover and making more data about the preparedness available.

Section II: Background

In 2009, the Root Zone Management partners (ICANN and Verisign, also called the “RZM partners”) collaborated to deploy Domain Name System Security Extensions (DNSSEC) in the root zone, which culminated in the first publication of a validated signed root zone in July 2010. That signature was based on a key signing key (KSK) that is maintained securely by ICANN. It was later agreed that “Each [root zone] KSK will be scheduled to be rolled over through a key ceremony as required, or after 5 years of operation.”

In December 2014, ICANN solicited volunteers from the community to participate with the RZM Partners in a Design Team to develop the Root Zone KSK Rollover Plan. That plan was put out for public comment on 6 August 2015, and was published on 7 March 2016.

On 27 September 2017, ICANN announced that the plan to change the cryptographic key that helps protect the Domain Name System (DNS) is being postponed. On 18 December 2017, ICANN began collecting comment from the community about the acceptable criteria for proceeding with the KSK rollover. The result of that discussion on the ksk-rollover@icann.org mailing list is the plan that is now open for comment.

Section III: Relevant Resources

Plan for Continuing the Root KSK Rolloverhttps://www.icann.org/en/system/files/files/plan-continuing-root-ksk-rollover-01feb18-en.pdf [PDF, 93 KB]

Section IV: Additional Information



Section V: Reports

Staff Contact

Paul Hoffman
paul.hoffman@icann.org

FINAL VERSION TO BE SUBMITTED IF RATIFIED

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 


FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.


FIRST DRAFT SUBMITTED

The first draft submitted will be placed here before the call for comments begins.

The ALAC is pleased to have the opportunity to comment on the “Plan to Restart the Root KSK Rollover Process”.

DNSSEC changes the nature of the most decentralized service of the Internet, the DNS, fundamentally. It transforms a lightweight "lookup table" into a trustworthy database. It's trust is made up of two important fragments: solid cryptography implementations and transparent operations.

DNSSEC anchors the zone trust by hopping the delegation hierarchy backwards. But this process does terminate at the root. Implementing the trust for the root itself is incredible hard, ultimately it's not a technical problem at all. At this point, the trust (KSK) information needs to be put in the hands of countless network operators all over the world. This task is attributed to ICANN. AtLarge has to do it's own outreach on this subject using it's own distributed structure.

Cryptographic elements always have a lifetime, if they are keys or algorithms. It is good operational practice to change the keys regularly in order update the material and to ensure, that all processes are still in place. Changes of algorithms require a working key change process. Therefore the important root keys (where all the trust is rooted) need to be changed, too.

During the preparations of the rollover, various issues arose especially from embedded and operator-less devices. Efforts were made to estimate the impact of an KSK change for affected user groups. But all the data is still vague.

The proposed plan is to schedule the rollover for October  this year, missing two possible earlier dates. The gained time should be used for intensify the communication with the network operator crowd out there. Waiting for new protocols to be deployed in order to guess more accurately is not an option. So the communication should concentrate on preparation check lists and post-rollover recovery guides for validating recursors.

ALAC supports this plan: Shifting the schedule by exactly one year makes is much more easy for outsiders to keep in time with the activities. April is clearly to short for the necessary communication. Starting in July will collide with holiday breaks in several countries. Because we depend on the operators, the October date is more appropriate in terms of workload and memorizing the important dates.

The rise of IoT starts to create swamps of non updateable network devices. If the KSK rollover is further delayed, more and more such devices will be deployed, all of them unable to deal with an upcoming KSK change. The only chance to get those developers and companies on board is to rollover the KSK. Regularly.

  • No labels