Architectural reconsideration on ICANN's Root Zone KSK rollover
Hi folks, I followed the discussion in this ML and composed a draft proposal (attached and in my repo) as an input. I will not proceed in IETF but consider to publish it in other form, if you think it is too radical to implement. Any comments on the proposal or edits for my poooor English is welcome. J The link of my repo: https://github.com/songlinjian/Parallel-Root-KSK-Rollover Best regards, Davey
Hi folks, Last week I posted this proposal on this mailing list, but there is no reply online but several comments off line which are very helpful and help make this proposal more practical. l One important concern is that it may take too long to roll the key, waiting for standardization, implementation and large deployment by the ? good ? guys. And no incentive for ? good ? do all the work for <<lazy>> guys. So I'm inspired that it is not necessary for additional set of root server and coordination between server and resolver for this purpose. All the work can be done in server side. It can be implemented on server side with "two logic views"(similar but different from BIND multiple view mechanism. When authoritative server recognize the resolvers who support RFC5011 (via rfc8145 or combined with kskroll-sentinel), it can roll the key only for them. Roll KSK not once for all but per-resolver. In that case there is no need any modification on resolver. Root server operator should do this work only. So there is no interoperability problem. No specification of DNS is needed which shorten the time and concerns. l Another concerns is the implication or panics of alternative root by saying paralleled root sever. Although the proposal has nothing to do with alternative root, it can change the saying as a “upgrade path” instead. I will change the proposal according to the comments. And still welcome other comments. Best regards, Davey 发件人: ksk-rollover [mailto:ksk-rollover-bounces@icann.org] 代表 Davey Song(宋林健) 发送时间: 2018年1月26日 11:33 收件人: ksk-rollover@icann.org 主题: [ksk-rollover] Architectural reconsideration on ICANN's Root Zone KSK rollover Hi folks, I followed the discussion in this ML and composed a draft proposal (attached and in my repo) as an input. I will not proceed in IETF but consider to publish it in other form, if you think it is too radical to implement. Any comments on the proposal or edits for my poooor English is welcome. J The link of my repo: https://github.com/songlinjian/Parallel-Root-KSK-Rollover Best regards, Davey
Hi Davey, At 07:32 PM 25-01-2018:
I followed the discussion in this ML and composed a draft proposal (attached and in my repo) as an input. I will not proceed in IETF but consider to publish it in other form, if you think it is too radical to implement. Any comments on the proposal or edits for my poooor English is welcome. J
There is the following in the proposal: "It require new DNS extension and functions in both authoritative and recursive side servers". How long would it take to deploy the new DNS extension? Regards, S. Moonesamy
participants (2)
-
Davey Song(宋林健) -
S Moonesamy