KSK2017 Rollover was a success
Repeat from what I said at the microphone today Main lesson from this roll is it worked better than we could have expected, given this was the first time, We expect that software/configuration has bugs/errors and this exposed some. There might have been some configurations that did not anticipate change in the key used ==> nothing beside rolling the KSK could have exposed that. There were some outages, there may have been some sites that turned off DNSSEC and we need to get some measurements of what that long term effect was i.e. did the validation get turned back on. The traffic increase reported was interesting but the big picture is it was in the NOISE range, i.e. all root servers should be able to deal with such small increase. I have no opinion at this point when next to roll or how fast to perform that roll. Ólafur
I agree with Olafur. The KSK rollover should be considered an overall success. Coming from a community where there is a vocal minority that only grudgingly deployed, if there was a significant issue with the rollover we would have heard about it. There could be improvement, but overall it was successful. I also agree that we should start looking at post-quantum algorithms in DNSSEC. NIST has an effort underway now: https://csrc.nist.gov/Topics/Security-and-Privacy/cryptography/post-quantum-... There isn’t anything available that could be suggested, but it is an effort I intend to follow. A breakthrough in quantum computing could mean everyone needs to rapidly deploy of a new algorithm. Scott From: ksk-rollover <ksk-rollover-bounces@icann.org> on behalf of Ólafur Guðmundsson via ksk-rollover <ksk-rollover@icann.org> Reply-To: Ólafur Guðmundsson <olafur@cloudflare.com> Date: Thursday, March 28, 2019 at 7:23 AM To: KSK Rollover <ksk-rollover@icann.org> Subject: [ksk-rollover] KSK2017 Rollover was a success Repeat from what I said at the microphone today Main lesson from this roll is it worked better than we could have expected, given this was the first time, We expect that software/configuration has bugs/errors and this exposed some. There might have been some configurations that did not anticipate change in the key used ==> nothing beside rolling the KSK could have exposed that. There were some outages, there may have been some sites that turned off DNSSEC and we need to get some measurements of what that long term effect was i.e. did the validation get turned back on. The traffic increase reported was interesting but the big picture is it was in the NOISE range, i.e. all root servers should be able to deal with such small increase. I have no opinion at this point when next to roll or how fast to perform that roll. Ólafur
* I also agree that we should start looking at post-quantum algorithms in DNSSEC. I believe that DNSSEC should, like other IETF groups, wait for CFRG to speak. He presented at IETF99; https://datatracker.ietf.org/meeting/99/materials/slides-99-saag-post-quantu...
Am 29.03.19 um 20:01 schrieb Salz, Rich via ksk-rollover:
* I also agree that we should start looking at post-quantum algorithms in DNSSEC.
I believe that DNSSEC should, like other IETF groups, wait for CFRG to speak. He presented at IETF99; https://datatracker.ietf.org/meeting/99/materials/slides-99-saag-post-quantu...
there are two sides - deploy a post-quantum algorithms - deploy any secondary algorithm for the later we don't have to wait. Andreas
participants (4)
-
A. Schulze -
Rose, Scott (Fed) -
Salz, Rich -
Ólafur Guðmundsson