Hi Paul, Matt and all. (Switching hats) I've followed the discussion quite a bit on the mailing list, and feel that pretty much most of what needed to be said was said, so I'll leave at that and not repeat anything. But here are 2c: I admire the fact that ICANN are taking this on the chin, delaying the roll-over in deference to the end user. However, I feel ICANN may be overstepping the mark: Ultimately, it is up to the operators to 'opt-in' and use DNSSEC. Aside from the TLDs you have a say over, ICANN don't have the authority (and to a degree, the responsibility) to dictate to these resolver operators: No gun was ever held to their heads to force them to adopt DNSSEC. That said, I disagree with a number here who say 'just do it.' There be dragons and I agree with Geoff, there's the issue of inviting comparisions to the Wild West of the Internet. I would offer this: Announce a tentative date of April 11, 2018 and see who pipes-up (just tell them I did it). Operators (negligent, diligent, absent) can only be warned for so long and so much that ultimately the warnings fall on deaf ears or people just get jaundiced and don't believe it will happen. The danger of setting a date is to have it moved again and losing further operational trust. Those suggesting to wait for more data (if there is a reasonable expectation of more coming) I could suggest a date of October 11, 2018. It gives time to determine if a trend can be established plus it gives a unique opportunity of a longer-term transition by having KSK 2010 and KSK 2017 hang around longer together and ultimately studying the effect of that too. Plus it gives more time for operators to actually fix things. In summing and to bring this back to the original poster's question, here's a stab at criteria for setting a date for the complete rollover (in no particular order): 1) measuring the value of trust in DNSSEC 2) having the best available data 3) a trend showing an uptake of KSK 2017 reaching the best rate approaching a flatline in that data. If a date can be agreed to, what happens next is to do another reach out, but more targetted. For example, for those registrars that offer up DS key registration, can they link to a notice from the dialog boxes where they get entered, or publish a one-line blurb about the impending roll-over and what that means? Alternatively here's perhaps a more risky proposition: A combination of 'just do it' but with a twist. Pull the old KSK for a fixed time period (hours?) WITH lot's of prior advance warning on a certain date (someone WILL be collecting data....right?). Long have there been calls by groups to attempt to disrupt the DNS, what's a planned *potential* outage affecting DNSSEC? Seriously though, it is akin to jerking a sleeping dog's chain, but no one really knows if it's a Chihuahua or a Great Dane on the other side of that fence until a hardy pull gets made. I think your note below on communications hits the mark so I'll leave it at that. Thanks, On Wed, 17 Jan 2018, Matt Larson wrote:
On Jan 17, 2018, at 1:19 PM, Warren Kumari <warren@kumari.net> wrote:
I ment to include the below in my original bloviation: I think it would be really useful to reach out to the press who published articles on the keyroll pause (e.g: BleepingComputer, Bloomberg, Modern Ghana, The Register, ITWorld, etc) - having them be told ahead of time that ICANN stopped things, got community feedback and is proceeding cautiously (potentially) changes the narrative completely - and, at least, helps prevent the bad PR hit to ICANN (this is an ICANN list, after all) and them feeling blindsided. Converting the potential PR ding into a win would be nice - and may also reach more people.
This is a good suggestion and I will add it to the hopper of PR ideas. Please recall that in late December (https://www.icann.org/news/blog/update-on-the-root-ksk-rollover-project), we wrote:
The ICANN org will monitor this mailing list and beginning on 15 January 2018, we will develop a draft plan for proceeding with the root KSK roll based on the input received and discussion on the mailing list. The plan will be published by 31 January 2018 and undergo a formal ICANN public comment process to gather further input.
We are indeed planning to publish a draft plan for moving forward at the end of the month based on this discussion, and we're also planning PR activities to publicize the plan and the formal public comment, including outreach to publications that have previously covered the root KSK roll or that we suspect would be willing to cover it.
Matt