On 2018-01-07 at 12:19 -0800, S Moonesamy wrote:
Hi David, At 09:37 AM 07-01-2018, David Conrad wrote:
Yes. But I'm still not seeing where 2020 comes in. All the above is saying is that the 2010 KSK was in a position to be rolled after 2015.
The first KSK was introduced in 2010. That statement is about doing a KSK after five years. I multiplied the duration by two, hence the year 2020.
There was a discussion about the rollover in 2013. The delays since them could be interpreted as meaning that the KSK roll is indefinitely postponed. At some point there may be discussions about whether all this is reliable.
Sorry, where are you getting your numbers?
The numbers are from https://www.icann.org/news/blog/update-on-the-root-ksk-rollover-project
To be clear, we're now seeing about 8% of the RFC 8145-reporting resolvers (which is, of course, a subset of all validating resolvers) indicating they're configured for only KSK-2010. The issue is that we have no good idea of figuring out how many end users that percentage is representing and what the implications of breaking resolution for those end users will be.
According to data published by APNIC, 10.82% of DNSSEC validation worldwide is from Google Public DNS. It should be possible to take that number out of the equation by talking with someone at Google.
The (8%) number is not meaningful if I cannot explain it in an easily understandable manner. Would breaking resolution have an impact which is similar to the 2016 Dyn outage? Would it take down a significant part of the internet in a country?
Regards, S. Moonesamy
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover