Dear colleagues, I'm forwarding a message I just posted to dns-operati...@dns-oarc.net announcing the postponement of the root KSK roll. Please excuse the posting from my personal email address: that's how I'm subscribed to this list and the only way to post in a timely fashion.
As you can imagine, it's been a very busy past few days. We always intended to update all the relevant operational lists and are doing so now. Matt > Begin forwarded message: > > From: Matt Larson <matt.lar...@icann.org> > Subject: Root KSK roll delayed > Date: September 28, 2017 at 9:47:14 AM PDT > To: dns-operations <dns-operati...@dns-oarc.net> > > ICANN has decided to postpone the root KSK roll previously scheduled for 11 > October 2017 for at least one quarter. This message gives some background and > explanation for that decision. > > Historically there has been no way to determine which trust anchors DNSSEC > validators have configured, making it difficult to assess the potential > impact of the root KSK rollover. "Signaling Trust Anchor Knowledge in DNS > Security Extensions (DNSSEC)" (defined in RFC 8145) is a recent protocol > extension that allows a validator to report which trust anchors it has > configured for a zone to that zone's name servers. The protocol was only > finalized in April, 2017, and only the most recent versions of BIND (9.10.5b1 > and 9.11.0b3 and later) and Unbound (1.6.4 and later) support it. This > protocol was not expected to have sufficient deployment to provide useful > information for the first root KSK rollover. > > However, initial research by Verisign and then by ICANN has found a growing > number of validators reporting trust anchor configuration to the root > servers. Based on data from six root server addresses, approximately 12,000 > unique source IP addresses have sent trust anchor configuration reports so > far in September 2017. The number reporting is growing and now approaches > 1400 unique addresses per day. Significantly, approximately 5% of the total > validators and about 6%-8% on any given day report only KSK-2010, the root > zone KSK currently signing the root's DNSKEY RRset. These validators would > not resolve correctly after the planned root KSK roll. > > There are various reasons a validator might report only KSK-2010. One reason > is an old configuration with a statically configured trust anchor (e.g., > BIND's "trusted-key" statement). ICANN has always known that a small > percentage of validators would not be ready for the rollover because they had > manually configured their trust anchor, and that operators of those > validators would need to take action when the root KSK rollover happened. > > Another reason is a failure to automatically update the trust anchor using > the RFC 5011 automated update protocol because of a software defect, operator > error or other reason. Based on our research and preliminary investigation, > we also believe it is possible that some operators believe that they are > ready for the rollover because they configured their validator to use RFC > 5011 automated updates, but will not trust KSK-2017 when the rollover happens > due to configuration issues or software defects. > > Given the relatively high percentage of validators with just KSK-2010, ICANN > believes it is important to better understand the reasons before proceeding > with the root KSK roll. We will soon be publishing the list of resolvers > reporting only KSK-2010 and will ask for the operational community's help in > identifying, diagnosing and correcting these systems. > > Throughout the project we have emphasized that the root KSK is being rolled > under normal operational conditions and have proceeded cautiously and without > haste. The decision to postpone was taken in that spirit of caution because > there is no operational pressure to proceed given our continued confidence in > the security of KSK-2010. > > We appreciate the community's understanding and we look forward to your > assistance in gathering the information necessary to move forward with the > root KSK roll. > > Matt > -- > Matt Larson, VP of Research > ICANN Office of the CTO >
