Current status of KSK-RollOver?
Hi, how are the chances to make the 10/11/2018 for the Root Zone KSK Rollover? Regards, Renne
On Aug 16 2018, Rene 'Renne' Bartsch asked:
how are the chances to make the 10/11/2018 for the Root Zone KSK Rollover?
and I suppose we can take the ICANN documents referenced in Paul's Hoffman's post today as part of an answer to that. Also the latest "Call for Participation" in ICANN 63 (20-25 October) includes this nugget: | 2. Post KSK Rollover | Following the Root Key Rollover, we would like to bring together a panel of | people who can talk about lessons learned from this KSK Rollover and lessons | learned for the next time which sounds almost hubristically confident. No mention of "or alternatively, we will talk about why we had to back off yet again". One thing mentioned in https://www.icann.org/news/blog/minimal-user-impact-expected-from-root-zone-... from 18 July was | Looking forward, the ICANN org will soon reach out to the 1,000 Internet | Service Providers (ISPs) with the most active resolver traffic that suggests | DNSSEC validation has been enabled in order to ensure they aware that the | root KSK roll will occur on 11 October 2018. Those ISPs will also be surveyed | on their preparation plans for the rollover, which may cause those resolver | operators to become more aware of the KSK rollover. It would certainly be interesting if ICANN could tell us how well that project is going, confidentiality permitting. -- Chris Thompson Email: cet1@cam.ac.uk
On Aug 16, 2018, at 4:39 AM, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover <ksk-rollover@icann.org<mailto:ksk-rollover@icann.org>> wrote: how are the chances to make the 10/11/2018 for the Root Zone KSK Rollover? The ICANN staff on the root KSK roll project are working to provide the Board with appropriate information so they can make an informed decision. As for the chances of the rollover proceeding on schedule, it would be inappropriate for us to predict the ICANN Board's actions. On Aug 23, 2018, at 7:12 AM, Chris Thompson <cet1@cam.ac.uk<mailto:cet1@cam.ac.uk>> wrote: On Aug 16 2018, Rene 'Renne' Bartsch asked: how are the chances to make the 10/11/2018 for the Root Zone KSK Rollover? and I suppose we can take the ICANN documents referenced in Paul's Hoffman's post today as part of an answer to that. Also the latest "Call for Participation" in ICANN 63 (20-25 October) includes this nugget: | 2. Post KSK Rollover | Following the Root Key Rollover, we would like to bring together a panel of | people who can talk about lessons learned from this KSK Rollover and lessons | learned for the next time which sounds almost hubristically confident. No mention of "or alternatively, we will talk about why we had to back off yet again". I think our optimistic position for ICANN63 planning purposes is reasonable and I would not characterize it as "hubristically confident" (though I'm going to remember that expression and use it some day!). Certainly if the KSK roll is postponed, that would change the content of post-11 October meetings. One thing mentioned in https://www.icann.org/news/blog/minimal-user-impact-expected-from-root-zone-... from 18 July was | Looking forward, the ICANN org will soon reach out to the 1,000 Internet | Service Providers (ISPs) with the most active resolver traffic that suggests | DNSSEC validation has been enabled in order to ensure they aware that the | root KSK roll will occur on 11 October 2018. Those ISPs will also be surveyed | on their preparation plans for the rollover, which may cause those resolver | operators to become more aware of the KSK rollover. It would certainly be interesting if ICANN could tell us how well that project is going, confidentiality permitting. We kicked off this survey last Tuesday (21 August), when we sent ~4000 email messages to the contacts listed in the RIR databases for 2552 ASNs. These networks represent traffic from DNSSEC-aware recursive resolvers that serve 99.5% of the end-user device IPs in APNIC's Google Ad-based data set. (Thanks to Geoff Huston at APNIC for his help here!). Our threshold for backing out of the KSK rollover is a negative impact affecting 0.5% of Internet users, hence our messages to networks responsible for serving 99.5%. This seemed as good of a place as any to make the cutoff decision for whom to survey. The emails we sent serve both as a notification of the rollover and a request to take a survey to assess readiness for the rollover. The survey will run for two weeks, completing just in time to provide the results to the Board to aid in their decision-making process about proceeding with the rollover. Matt -- Matt Larson, VP of Research ICANN Office of the CTO
Am 23.08.18 um 15:44 schrieb Matt Larson:
We kicked off this survey last Tuesday (21 August), when we sent ~4000 email messages to the contacts listed in the RIR databases for 2552 ASNs. These networks represent traffic from DNSSEC-aware recursive resolvers that serve 99.5% of the end-user device IPs in APNIC's Google Ad-based data set. (Thanks to Geoff Huston at APNIC for his help here!). Our threshold for backing out of the KSK rollover is a negative impact affecting 0.5% of Internet users, hence our messages to networks responsible for serving 99.5%. This seemed as good of a place as any to make the cutoff decision for whom to survey. The emails we sent serve both as a notification of the rollover and a request to take a survey to assess readiness for the rollover. The survey will run for two weeks, completing just in time to provide the results to the Board to aid in their decision-making process about proceeding with the rollover.
I suggest a cooperation with big anycast DNS resolver operators like Cloudflare DNS, Google Public DNS, Quad9, etc. to publish their resolver IPs in the news as a fallback for end-users in case their ISP messes up DNSSEC. Additionally I suggest to ask router vendors to publish model-specific step-by-step guides how to change the resolver IPs. As internet will fail in such cases the guides should be printable (e.g. PDF-A). ;-) Renne
On Tue, Aug 28, 2018 at 10:27:44AM +0200, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover <ksk-rollover@icann.org> wrote a message of 14 lines which said:
I suggest a cooperation with big anycast DNS resolver operators like Cloudflare DNS, Google Public DNS, Quad9, etc. to publish their resolver IPs in the news as a fallback for end-users
I strongly oppose the idea of promoting big US data silos as an alternative to the ISP resolver. (Also, while this is less important, I think it would blurr the message to the users and create unecessary FUD.)
On 08/28/2018 01:37 AM, Stephane Bortzmeyer wrote:
On Tue, Aug 28, 2018 at 10:27:44AM +0200, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover <ksk-rollover@icann.org> wrote a message of 14 lines which said:
I suggest a cooperation with big anycast DNS resolver operators like Cloudflare DNS, Google Public DNS, Quad9, etc. to publish their resolver IPs in the news as a fallback for end-users
I strongly oppose the idea of promoting big US data silos as an alternative to the ISP resolver. (Also, while this is less important, I think it would blurr the message to the users and create unecessary FUD.)
+1
Hello everyone, I have been quiet for a while mostly observing, catching up with incredibly well written documentation by ICANN team. Great work. I wanted to chime in and support ICANN's decision on proceeding with the plan of rolling KSK 11 October 2018 as planned. I have put my thoughts in a blog https://www.kapany.net/blog/root-ksk-rollover - I want to be the first one to congratulate the ICANN team for their hard work and dedication on keeping Root Zone secure. Best regards Mehmet On Tue, Aug 28, 2018 at 9:50 AM Doug Barton <dougb@dougbarton.email> wrote:
On 08/28/2018 01:37 AM, Stephane Bortzmeyer wrote:
On Tue, Aug 28, 2018 at 10:27:44AM +0200, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover < ksk-rollover@icann.org> wrote a message of 14 lines which said:
I suggest a cooperation with big anycast DNS resolver operators like Cloudflare DNS, Google Public DNS, Quad9, etc. to publish their resolver IPs in the news as a fallback for end-users
I strongly oppose the idea of promoting big US data silos as an alternative to the ISP resolver. (Also, while this is less important, I think it would blurr the message to the users and create unecessary FUD.)
+1 _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
On Wed, Aug 29, 2018 at 12:08:59AM -0700, Mehmet Akcin <mehmet@akcin.net> wrote a message of 106 lines which said:
I wanted to chime in and support ICANN's decision on proceeding with the plan of rolling KSK 11 October 2018 as planned.
Me too, but can we say there was a decision? I understood that, less than two months before the event, it is still not "decided" (as in "decided by the management").
My understanding (correct me if I am mistaken here)... that they are proceeding as planned. On Wed, Aug 29, 2018 at 12:21 AM Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Wed, Aug 29, 2018 at 12:08:59AM -0700, Mehmet Akcin <mehmet@akcin.net> wrote a message of 106 lines which said:
I wanted to chime in and support ICANN's decision on proceeding with the plan of rolling KSK 11 October 2018 as planned.
Me too, but can we say there was a decision? I understood that, less than two months before the event, it is still not "decided" (as in "decided by the management").
On 29 Aug 2018, at 17:22, Mehmet Akcin <mehmet@akcin.net> wrote:
My understanding (correct me if I am mistaken here)... that they are proceeding as planned.
No, the ICANN board will give a hopefully clear and emphatic go/no go decision at the next board meeting.
On Wed, Aug 29, 2018 at 12:21 AM Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: On Wed, Aug 29, 2018 at 12:08:59AM -0700, Mehmet Akcin <mehmet@akcin.net> wrote a message of 106 lines which said:
I wanted to chime in and support ICANN's decision on proceeding with the plan of rolling KSK 11 October 2018 as planned.
Me too, but can we say there was a decision? I understood that, less than two months before the event, it is still not "decided" (as in "decided by the management").
ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
https://www.icann.org/en/system/files/files/ksk-rollover-expect-22aug18-en.p... “Currently planned for 11 October 2018..” I interpret this as “we are moving forward” I might be wrong, but that’s my understanding.. On Wed, Aug 29, 2018 at 12:32 AM Kal <icann@feherfamily.org> wrote:
On 29 Aug 2018, at 17:22, Mehmet Akcin <mehmet@akcin.net> wrote:
My understanding (correct me if I am mistaken here)... that they are proceeding as planned.
No, the ICANN board will give a hopefully clear and emphatic go/no go decision at the next board meeting.
On Wed, Aug 29, 2018 at 12:21 AM Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
On Wed, Aug 29, 2018 at 12:08:59AM -0700, Mehmet Akcin <mehmet@akcin.net> wrote a message of 106 lines which said:
I wanted to chime in and support ICANN's decision on proceeding with the plan of rolling KSK 11 October 2018 as planned.
Me too, but can we say there was a decision? I understood that, less than two months before the event, it is still not "decided" (as in "decided by the management").
_______________________________________________
ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
-- Mehmet +1-424-298-1903
Hi, The decision to move forward is on the agenda for the upcoming Board workshop in Brussels on Sept 15. Staff is recommending moving forward based on the information we have, however it is the Board that will be voting the final decision regarding following the revised plan which proposing putting the new KSK in use on 11 Oct 2018. We (staff) appreciate any input on the KSK rollover the community might offer (we’re writing the Board resolution and supporting paper now). Regards, -drc
On Aug 29, 2018, at 12:36 AM, Mehmet Akcin <mehmet@akcin.net> wrote:
https://www.icann.org/en/system/files/files/ksk-rollover-expect-22aug18-en.p... <https://www.icann.org/en/system/files/files/ksk-rollover-expect-22aug18-en.p...>
“Currently planned for 11 October 2018..” I interpret this as “we are moving forward”
I might be wrong, but that’s my understanding..
On Wed, Aug 29, 2018 at 12:32 AM Kal <icann@feherfamily.org <mailto:icann@feherfamily.org>> wrote:
On 29 Aug 2018, at 17:22, Mehmet Akcin <mehmet@akcin.net <mailto:mehmet@akcin.net>> wrote:
My understanding (correct me if I am mistaken here)... that they are proceeding as planned.
No, the ICANN board will give a hopefully clear and emphatic go/no go decision at the next board meeting.
On Wed, Aug 29, 2018 at 12:21 AM Stephane Bortzmeyer <bortzmeyer@nic.fr <mailto:bortzmeyer@nic.fr>> wrote: On Wed, Aug 29, 2018 at 12:08:59AM -0700, Mehmet Akcin <mehmet@akcin.net <mailto:mehmet@akcin.net>> wrote a message of 106 lines which said:
I wanted to chime in and support ICANN's decision on proceeding with the plan of rolling KSK 11 October 2018 as planned.
Me too, but can we say there was a decision? I understood that, less than two months before the event, it is still not "decided" (as in "decided by the management"). _______________________________________________
ksk-rollover mailing list ksk-rollover@icann.org <mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover <https://mm.icann.org/mailman/listinfo/ksk-rollover>
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org <mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover <https://mm.icann.org/mailman/listinfo/ksk-rollover> -- Mehmet +1-424-298-1903 _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org <mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover <https://mm.icann.org/mailman/listinfo/ksk-rollover>
On Wed, Aug 29, 2018 at 07:42:14AM +0000, David Conrad <david.conrad@icann.org> wrote a message of 322 lines which said:
The decision to move forward is on the agenda for the upcoming Board workshop in Brussels on Sept 15.
Which means that we will be able to outreach seriously with the local "community" less than one month before the event. IMHO, this is too short. I thought it was decided a long time ago :-(
We (staff) appreciate any input on the KSK rollover the community might offer
There are three good reasons NOT to delay any further: 1) there is no serious perspective to get more information in the near future. We have to accept the (very moderate) uncertainty. 2) Even if we had perfect information about the broken resolvers, there are sysadmins that will do nothing until the day before (and even some that will do nothing until the day after…) We cannot wait to have 0 % issues. 3) The most important reason is communication: there are already sysadmins who told me "Oh, I won't do anything, I'm certain it will be postponed again". If we postpone one more time, nobody will take seriously the third announced date.
Am 29.08.18 um 10:07 schrieb Stephane Bortzmeyer:
3) The most important reason is communication: there are already sysadmins who told me "Oh, I won't do anything, I'm certain it will be postponed again". If we postpone one more time, nobody will take seriously the third announced date.
I agree. If postponed again DNSSEC will definitely achieve the "Vaporware" state in the public view. Renne
Domain incite wrote a piece on this. http://domainincite.com/23353-icann-faces-critical-choice-as-security-expert... I understood from that article, that SSAC generally agreed that the roll-over should happen but five (out of 22) were not in agreement. I also understand that the "risk" (of collateral damage) is now acceptable. Personally, I hope the Board agrees to go ahead with the key-rollover. That Lithium battery inside the HSM with its five year life expectancy is in its sixth (or so) year? I'm actually eager to see what happens and expect almost no negative impact. I believe that the majority of Broken stuff in DNSSEC aware recursive resolvers will be fixed very quickly and sincerely hope no one goes around removing DS records. I live in South Africa where just under 50% (according to https://stats.labs.apnic.net/dnssec) of people use a DNSSEC aware recursive resolver. The ZACR (South African Central Registry) has done about 10 years of free DNS/DNSSEC teaching to the ISP community, which I was personally involved in. I'm obviously hoping for Zero issues. (I like to think that the 50% is somewhat due to those twice-a-year workshops :) On 08/29/2018 09:42 AM, David Conrad wrote:
Hi,
The decision to move forward is on the agenda for the upcoming Board workshop in Brussels on Sept 15.
Staff is recommending moving forward based on the information we have, however it is the Board that will be voting the final decision regarding following the revised plan which proposing putting the new KSK in use on 11 Oct 2018.
We (staff) appreciate any input on the KSK rollover the community might offer (we’re writing the Board resolution and supporting paper now).
Regards, -drc
On Aug 29, 2018, at 12:36 AM, Mehmet Akcin <mehmet@akcin.net <mailto:mehmet@akcin.net>> wrote:
https://www.icann.org/en/system/files/files/ksk-rollover-expect-22aug18-en.p...
“Currently planned for 11 October 2018..” I interpret this as “we are moving forward”
I might be wrong, but that’s my understanding..
On Wed, Aug 29, 2018 at 12:32 AM Kal <icann@feherfamily.org <mailto:icann@feherfamily.org>> wrote:
On 29 Aug 2018, at 17:22, Mehmet Akcin <mehmet@akcin.net <mailto:mehmet@akcin.net>> wrote:
My understanding (correct me if I am mistaken here)... that they are proceeding as planned.
No, the ICANN board will give a hopefully clear and emphatic go/no go decision at the next board meeting.
On Wed, Aug 29, 2018 at 12:21 AM Stephane Bortzmeyer <bortzmeyer@nic.fr <mailto:bortzmeyer@nic.fr>> wrote:
On Wed, Aug 29, 2018 at 12:08:59AM -0700, Mehmet Akcin <mehmet@akcin.net <mailto:mehmet@akcin.net>> wrote a message of 106 lines which said:
> I wanted to chime in and support ICANN's decision on proceeding with > the plan of rolling KSK 11 October 2018 as planned.
Me too, but can we say there was a decision? I understood that, less than two months before the event, it is still not "decided" (as in "decided by the management").
_______________________________________________
ksk-rollover mailing list ksk-rollover@icann.org <mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org <mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover
-- Mehmet +1-424-298-1903 _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org <mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
-- Mark James ELKINS - Posix Systems - (South) Africa mje@posix.co.za Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Mark, On 2018-08-29 11:23, Mark Elkins wrote:
That Lithium battery inside the HSM with its five year life expectancy is in its sixth (or so) year?
I believe that HSM can be replaced without rolling the key, so this is not a strong motivator. I still strongly favor rolling the key, for many other reasons! 😀 Cheers, -- Shane
On Aug 29, 2018, at 7:06 AM, Shane Kerr <shane@time-travellers.org<mailto:shane@time-travellers.org>> wrote: On 2018-08-29 11:23, Mark Elkins wrote: That Lithium battery inside the HSM with its five year life expectancy is in its sixth (or so) year? I believe that HSM can be replaced without rolling the key, so this is not a strong motivator. Indeed, and we have already done so: the four original HSMs have been retired and replaced. Matt
I have promoted DNSSEC for years and always heard the same bad excuses: DNS server admins: developers of hard- and software clients do not support DNSSEC Hard-/software developers: DNS servers do not support DNSSEC Users: configuration is a huge effort All: KSK rollover will fail leading to an internet blackout Bottom line: Rolling out DNSSEC is not a technical but a social problem. It's called fear and laziness. It seems the focus of the ICANN board is too technical to realize this. The indecisiveness of the ICANN board makes all involved parties insecure. If the KSK-rollover is postponed again, no one will take DNSSEC serious. If the KSK-rollover becomes a big fail everyone will avoid DNSSEC. It's time to get things done to gain the trust of all involved parties. I suggest a marketing campaign to promote the benefits of the DNSSEC/DANE dyad for users who will then push service providers and hard-/software developers. Renne Am 29.08.18 um 13:27 schrieb Matt Larson:
On Aug 29, 2018, at 7:06 AM, Shane Kerr <shane@time-travellers.org <mailto:shane@time-travellers.org>> wrote:
On 2018-08-29 11:23, Mark Elkins wrote:
That Lithium battery inside the HSM with its five year life expectancy is in its sixth (or so) year?
I believe that HSM can be replaced without rolling the key, so this is not a strong motivator.
Indeed, and we have already done so: the four original HSMs have been retired and replaced.
Matt
Hi, On Aug 29, 2018, at 3:36 PM, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover <ksk-rollover@icann.org> wrote:
Rolling out DNSSEC is not a technical but a social problem. It's called fear and laziness. It seems the focus of the ICANN board is too technical to realize this.
In my experience, it is rare for someone to say the focus of ICANN’s board “too technical” :).
The indecisiveness of the ICANN board makes all involved parties insecure.
To clarify, the Board has not been not indecisive. They haven’t yet been asked to make a decision on rolling the KSK.
I suggest a marketing campaign to promote the benefits of the DNSSEC/DANE dyad for users who will then push service providers and hard-/software developers.
We (staff) would love to hear thoughts on benefits of DNSSEC/DANE (we know of some, but would be interested in hearing others). However, this may be a bit out of charter for this mailing list. Regards, -drc
Am 30.08.18 um 01:24 schrieb David Conrad:
To clarify, the Board has not been not indecisive. They haven’t yet been asked to make a decision on rolling the KSK.
Which is extremely late ...
We (staff) would love to hear thoughts on benefits of DNSSEC/DANE (we know of some, but would be interested in hearing others). However, this may be a bit out of charter for this mailing list.
Where to discuss this? In short: 1. TLS is vulnerable to MITM-attacks with intermediate certificates (e.g. firewall applications) -> DANE-TLS solves that problem 2. Free (self-signed) client- or server certificates without the risk of fraudulent or incompetent CAs 3. Easy and secure public key exchange and revocation for any application with end-to-end encryption (e.g. email: DANE-SMIMEA, DANE-OpenPGP, VPN, messengers, online services, embedded devices, ...) Renne
On 30.8.2018 01:24, David Conrad wrote:
Hi,
On Aug 29, 2018, at 3:36 PM, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover <ksk-rollover@icann.org <mailto:ksk-rollover@icann.org>> wrote:
Rolling out DNSSEC is not a technical but a social problem. It's called fear and laziness. It seems the focus of the ICANN board is too technical to realize this.
In my experience, it is rare for someone to say the focus of ICANN’s board “too technical” :).
The indecisiveness of the ICANN board makes all involved parties insecure.
To clarify, the Board has not been not indecisive. They haven’t yet been asked to make a decision on rolling the KSK.
I suggest a marketing campaign to promote the benefits of the DNSSEC/DANE dyad for users who will then push service providers and hard-/software developers.
We (staff) would love to hear thoughts on benefits of DNSSEC/DANE (we
I would put https://tools.ietf.org/html/rfc7477 aka "Child-to-Parent Synchronization in DNS" on the list. DNSSEC is required to do this in a secure way but once we have it we can get rid of parent-child NS desynchronization problem. That would help a lot with DNS operations/debugging because parent-child desync can be lurking for months or even years before last NS is moved elsewhere and then whole domain breaks suddenly. -- Petr Špaček @ CZ.NIC
On Aug 29 2018, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover wrote:
I have promoted DNSSEC for years and always heard the same bad excuses:
DNS server admins: developers of hard- and software clients do not support DNSSEC Hard-/software developers: DNS servers do not support DNSSEC Users: configuration is a huge effort All: KSK rollover will fail leading to an internet blackout
Presuming that this last refers specifically to root zone KSK rollover, my impression is that it was not mentioned much by the "DNSSEC is bad" people until it became obvious that it was going to be more difficult than was originally envisaged. If it is indeed the case that it is now the most commonly raised objection to DNSSEC, this could be because the other ones mentioned above are looking increasingly flimsy. -- Chris Thompson Email: cet1@cam.ac.uk
participants (11)
-
Chris Thompson -
David Conrad -
Doug Barton -
Kal -
Mark Elkins -
Matt Larson -
Mehmet Akcin -
Petr Špaček -
Rene 'Renne' Bartsch, B.Sc. Informatics -
Shane Kerr -
Stephane Bortzmeyer