On 01/04/2018 04:19 PM, Geoff Huston wrote:
When we roll the clock back to September 2017, the cited reason for the deferral of the root roll was the existence of data from resolvers that supported RFC8145 signalling that a pool of these resolvers had not loaded KSK20911 into their local trusted key store.
Carlos, (I’m asking because you posted a "me too") what is the data set you are using to justify this call to be “over soon”? It seems to me that in the absence of new data, the only changed factor is your own appetite for risk. Without additional data, your tolerance for risk appears to increase over time (*). But is this altered personal perception of the risk sufficient motivation to proceed? Objectively, if the numbers in September 2017 gave sufficient grounds to pause, and the numbers haven't changed (**) then surely the grounds for pausing the operation as as strong now as they were in September (***).
The grounds for pausing have the same strength that they did in September, yes. Which is to say, very limited compared to the overall risk of not doing the roll. Since a little before September when the 8145 data started rolling in all I've heard discussed is the risk to the deployed base if we do the roll and their stuff breaks. But there is another, arguably greater risk that is not being discussed, what happens if we get ourselves into a position where we are forced to do an emergency roll? (The common scenarios for that are key compromise, which is very unlikely but not impossible, and alg failure.) We aren't planning to do the roll for the fun of it. We are planning to do the roll because at SOME point in the future, it will be necessary to do one. Every day that we don't roll the key adds to that risk, since we already know, for sure, that rolling the key NOW will break stuff. There are only two conditions that can be true at this point: 1. DNSSEC, while deployed to a non-trivial degree, has little actual utility at this time. That is, nothing mission-critical depends on it now, or in the near future. OR 2. DNSSEC is an essential service that many organizations depend on. If #1 is true we should do the roll ASAP because any fallout from breakage will be minimal, and hopefully have a net positive benefit when people update their broken stuff. If #2 is true we should do the roll ASAP because we need to demonstrate that we can, and so that any breakage can be dealt with in a somewhat controlled environment with lots of eyeballs and resources dedicated to it. This ultimately will make the system more robust because people will fix their broken stuff, and develop confidence in the system regarding any possible rolls in the future. Either way, Jacques is right, we need to make like Nike and "Just Do It." Doug