On 28 Mar 2019, at 9:42 am, Wes Hardaker <wjhns1@hardakers.net> wrote:
I just mentioned this at a mic, and I'm re-broadcasting it here:
ditto - here’s what I croaked at the mic. Learned Lessons: * We rolled the KSK * The roll was not without impact (e.g. at least a few hundred million users were affected when their ISP's resolver turned off DNSSEC validation at critical times in the roll process) * This was not a rehearsal for a catastrophic and unexpected compromise of the KSK. It was a limited exercise in demonstrating that, albeit with some collateral damage, the KSK is malleable under certain conditions * We have some issues with large UDP responses in the DNS. * The DNS is determinedly opaque * Legacy is an issue * Trust Key management procedures operate in highly constrained scenarios * Tolerance for risk is highly variable - there is no point that all parties can clearly tolerate * The DNS continues to be surprising