First Root KSK Rollover Successfully Completed
LOS ANGELES – 15 October 2018 – The Internet Corporation for Assigned Names and Numbers (ICANN) has determined that the first-ever changing of the cryptographic key that helps protect the Domain Name System (DNS) has been completed with minimal disruption of the global Internet. It was the first time the key has been changed since it was first put in use in 2010. After evaluation of the available data, there does not appear to be a significant number of Internet end-users who have been persistently and negatively impacted by the changing of the key. The few issues that have arisen appear to have been quickly mitigated and none suggested a systemic failure that would approach the threshold (as defined by the ICANN community) to initiate a reversal of the roll. In that context, it appears the rollover to the new Key Signing Key, known as KSK 2017, has been a success. At this point, there are no indications it is necessary to back out of the rollover and ICANN will now proceed to the next step in the rollover process: revoking the old KSK, known as KSK 2010 during the next key ceremony in the first quarter of 2019. "This successful exercise of the infrastructure necessary to roll the root zone's key has demonstrated it is possible to update the key globally," said David Conrad, ICANN's Chief Technology Officer. "It also provided important insights that will help us with future key rolls," The final decision to roll the root zone Key Signing Key (KSK) was made by ICANN President and CEO Göran Marby after reviewing the outcomes of the efforts of ICANN and others, particularly in the Domain Name System (DNS) technical community. These outcomes were the result of significant global outreach efforts, in consultation with the ICANN community, and after extensive analysis of available data. With the final approvals in place, ICANN implemented the 16 September 2018 resolution of ICANN's Board. The resolution stated that the organization should proceed with its revised plans to change or "roll" the key for the DNS root on 11 October 2018. To learn more about the Root KSK Rollover, visit its dedicated webpage and primary source of information: http://www.icann.org/kskroll About ICANN ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world. https://www.icann.org/news/announcement-2018-10-15-en
Thank you Team for info and Congrats on successfully implementation. Regards, M.A.Majid IT Infrastructure Manager -------- Original message -------- From: Edward Lewis <edward.lewis@icann.org> Date: 10/15/18 7:08 PM (GMT+03:00) To: ksk-rollover@icann.org Subject: [ksk-rollover] First Root KSK Rollover Successfully Completed LOS ANGELES – 15 October 2018 – The Internet Corporation for Assigned Names and Numbers (ICANN) has determined that the first-ever changing of the cryptographic key that helps protect the Domain Name System (DNS) has been completed with minimal disruption of the global Internet. It was the first time the key has been changed since it was first put in use in 2010. After evaluation of the available data, there does not appear to be a significant number of Internet end-users who have been persistently and negatively impacted by the changing of the key. The few issues that have arisen appear to have been quickly mitigated and none suggested a systemic failure that would approach the threshold (as defined by the ICANN community) to initiate a reversal of the roll. In that context, it appears the rollover to the new Key Signing Key, known as KSK 2017, has been a success. At this point, there are no indications it is necessary to back out of the rollover and ICANN will now proceed to the next step in the rollover process: revoking the old KSK, known as KSK 2010 during the next key ceremony in the first quarter of 2019. "This successful exercise of the infrastructure necessary to roll the root zone's key has demonstrated it is possible to update the key globally," said David Conrad, ICANN's Chief Technology Officer. "It also provided important insights that will help us with future key rolls," The final decision to roll the root zone Key Signing Key (KSK) was made by ICANN President and CEO Göran Marby after reviewing the outcomes of the efforts of ICANN and others, particularly in the Domain Name System (DNS) technical community. These outcomes were the result of significant global outreach efforts, in consultation with the ICANN community, and after extensive analysis of available data. With the final approvals in place, ICANN implemented the 16 September 2018 resolution of ICANN's Board. The resolution stated that the organization should proceed with its revised plans to change or "roll" the key for the DNS root on 11 October 2018. To learn more about the Root KSK Rollover, visit its dedicated webpage and primary source of information: http://www.icann.org/kskroll About ICANN ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world. https://www.icann.org/news/announcement-2018-10-15-en _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
Cheers! No news is a good news~
-----邮件原件----- 发件人: ksk-rollover [mailto:ksk-rollover-bounces@icann.org] 代表 Edward Lewis 发送时间: 2018年10月16日 0:08 收件人: ksk-rollover@icann.org 主题: [ksk-rollover] First Root KSK Rollover Successfully Completed
LOS ANGELES – 15 October 2018 – The Internet Corporation for Assigned Names and Numbers (ICANN) has determined that the first-ever changing of the cryptographic key that helps protect the Domain Name System (DNS) has been completed with minimal disruption of the global Internet. It was the first time the key has been changed since it was first put in use in 2010.
After evaluation of the available data, there does not appear to be a significant number of Internet end-users who have been persistently and negatively impacted by the changing of the key.
The few issues that have arisen appear to have been quickly mitigated and none suggested a systemic failure that would approach the threshold (as defined by the ICANN community) to initiate a reversal of the roll. In that context, it appears the rollover to the new Key Signing Key, known as KSK 2017, has been a success.
At this point, there are no indications it is necessary to back out of the rollover and ICANN will now proceed to the next step in the rollover process: revoking the old KSK, known as KSK 2010 during the next key ceremony in the first quarter of 2019.
"This successful exercise of the infrastructure necessary to roll the root zone's key has demonstrated it is possible to update the key globally," said David Conrad, ICANN's Chief Technology Officer. "It also provided important insights that will help us with future key rolls,"
The final decision to roll the root zone Key Signing Key (KSK) was made by ICANN President and CEO Göran Marby after reviewing the outcomes of the efforts of ICANN and others, particularly in the Domain Name System (DNS) technical community. These outcomes were the result of significant global outreach efforts, in consultation with the ICANN community, and after extensive analysis of available data.
With the final approvals in place, ICANN implemented the 16 September 2018 resolution of ICANN's Board. The resolution stated that the organization should proceed with its revised plans to change or "roll" the key for the DNS root on 11 October 2018.
To learn more about the Root KSK Rollover, visit its dedicated webpage and primary source of information: http://www.icann.org/kskroll
About ICANN ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.
https://www.icann.org/news/announcement-2018-10-15-en
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
I had several bounce mails today from my Gmail to IETF's mail. It's weird. The response from the remote server was: 550 5.7.1 mail w9G8HQ5a028992 from 2607:f8b0:4864:20::72a rejected by DCC The bounce may irrelevant with KSK. But an question came up to my mind that how can a user identify a failure caused by KSK rollover? Davey
-----邮件原件----- 发件人: ksk-rollover [mailto:ksk-rollover-bounces@icann.org] 代表 Edward Lewis 发送时间: 2018年10月16日 0:08 收件人: ksk-rollover@icann.org 主题: [ksk-rollover] First Root KSK Rollover Successfully Completed
LOS ANGELES – 15 October 2018 – The Internet Corporation for Assigned Names and Numbers (ICANN) has determined that the first-ever changing of the cryptographic key that helps protect the Domain Name System (DNS) has been completed with minimal disruption of the global Internet. It was the first time the key has been changed since it was first put in use in 2010.
After evaluation of the available data, there does not appear to be a significant number of Internet end-users who have been persistently and negatively impacted by the changing of the key.
The few issues that have arisen appear to have been quickly mitigated and none suggested a systemic failure that would approach the threshold (as defined by the ICANN community) to initiate a reversal of the roll. In that context, it appears the rollover to the new Key Signing Key, known as KSK 2017, has been a success.
At this point, there are no indications it is necessary to back out of the rollover and ICANN will now proceed to the next step in the rollover process: revoking the old KSK, known as KSK 2010 during the next key ceremony in the first quarter of 2019.
"This successful exercise of the infrastructure necessary to roll the root zone's key has demonstrated it is possible to update the key globally," said David Conrad, ICANN's Chief Technology Officer. "It also provided important insights that will help us with future key rolls,"
The final decision to roll the root zone Key Signing Key (KSK) was made by ICANN President and CEO Göran Marby after reviewing the outcomes of the efforts of ICANN and others, particularly in the Domain Name System (DNS) technical community. These outcomes were the result of significant global outreach efforts, in consultation with the ICANN community, and after extensive analysis of available data.
With the final approvals in place, ICANN implemented the 16 September 2018 resolution of ICANN's Board. The resolution stated that the organization should proceed with its revised plans to change or "roll" the key for the DNS root on 11 October 2018.
To learn more about the Root KSK Rollover, visit its dedicated webpage and primary source of information: http://www.icann.org/kskroll
About ICANN ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.
https://www.icann.org/news/announcement-2018-10-15-en
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
On Oct 15 2018, Edward Lewis wrote: [...much snipped...]
At this point, there are no indications it is necessary to back out of the rollover and ICANN will now proceed to the next step in the rollover process: revoking the old KSK, known as KSK 2010 during the next key ceremony in the first quarter of 2019.
Just for clarification: does this mean that the plan is to publish a keyset with KSK-2010 revoked *in* 2019-Q1 (from 11 January, as [1] suggests), or that it will be *generated* during the key ceremony in 2019-Q1, and thus published in 2019-Q2 (presumably then from 11 April)? [1] https://www.icann.org/en/system/files/files/2018-ksk-roll-operational-implem... -- Chris Thompson Email: cet1@cam.ac.uk
On 10/16/18, 16:16, "Chris Thompson" <cet1@hermes.cam.ac.uk on behalf of cet1@cam.ac.uk> wrote: Just for clarification: does this mean that the plan is to publish a keyset with KSK-2010 revoked *in* 2019-Q1 (from 11 January, as [1] suggests), or that it will be *generated* during the key ceremony in 2019-Q1, and thus published in 2019-Q2 (presumably then from 11 April)? The plan is to publish a revocation of KSK-2010 on 11 January 2019. The scheduled date for the KSK Ceremony (#35) that will produce that DNSKEY set is 15 November 2018.
That phase may merit some monitoring, as it the largest response to a root zone DNSKEY query and we are aware that some resolvers fail when the response gets this large. see http://www.potaroo.net/ispcol/2017-08/xtn-hdrs.html and http://www.potaroo.net/ispcol/2016-11/rootstars.html for details, if you are interested. Geoff
On 16 Oct 2018, at 4:37 pm, Edward Lewis <edward.lewis@icann.org> wrote:
On 10/16/18, 16:16, "Chris Thompson" <cet1@hermes.cam.ac.uk on behalf of cet1@cam.ac.uk> wrote:
Just for clarification: does this mean that the plan is to publish a keyset with KSK-2010 revoked *in* 2019-Q1 (from 11 January, as [1] suggests), or that it will be *generated* during the key ceremony in 2019-Q1, and thus published in 2019-Q2 (presumably then from 11 April)?
The plan is to publish a revocation of KSK-2010 on 11 January 2019. The scheduled date for the KSK Ceremony (#35) that will produce that DNSKEY set is 15 November 2018.
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
(Reordering and pruning somewhat...) On Oct 17 2018, Geoff Huston wrote: [...]
On 16 Oct 2018, at 4:37 pm, Edward Lewis <edward.lewis@icann.org> wrote: [...]
The plan is to publish a revocation of KSK-2010 on 11 January 2019. The scheduled date for the KSK Ceremony (#35) that will produce that DNSKEY set is 15 November 2018.
That phase may merit some monitoring, as it the largest response to a root zone DNSKEY query and we are aware that some resolvers fail when the response gets this large.
Also, I hope that the RFC 8145 query monitoring will continue during this period and distinguish servers that have dropped KSK-2010 from their set of trust anchors from those that have not. This may give some insight into how widespread, and how effective, RFC 5011 implementations are. -- Chris Thompson Email: cet1@cam.ac.uk
Von: ksk-rollover [mailto:ksk-rollover-bounces@icann.org] Im Auftrag von Chris Thompson Gesendet: Mittwoch, 17. Oktober 2018 16:33 An: ksk-rollover@icann.org Betreff: Re: [ksk-rollover] [Ext] Re: First Root KSK Rollover Successfully Completed (Reordering and pruning somewhat...) [...]
Also, I hope that the RFC 8145 query monitoring will continue during this period and distinguish servers that have dropped KSK-2010 from their set of trust anchors from those that have not. This may give some insight into how widespread, and how effective, RFC 5011 implementations are.
Hello, after the KSK Roll is before the KSK roll. I agree, even so our resolvers should be fine a script will check the query results for our IPv4 and IPv6 addresses. Thank you, Tore
It seems like the only potent major impact was Eir in Ireland (which as an Irishman is not surprising me at all). Kudos on a well run roll. Sent from my iPhone
On 18 Oct 2018, at 06:05, Stelzner, Tore <tore.stelzner@hrz.tu-darmstadt.de> wrote:
Von: ksk-rollover [mailto:ksk-rollover-bounces@icann.org] Im Auftrag von Chris Thompson Gesendet: Mittwoch, 17. Oktober 2018 16:33 An: ksk-rollover@icann.org Betreff: Re: [ksk-rollover] [Ext] Re: First Root KSK Rollover Successfully Completed
(Reordering and pruning somewhat...)
[...]
Also, I hope that the RFC 8145 query monitoring will continue during this period and distinguish servers that have dropped KSK-2010 from their set of trust anchors from those that have not. This may give some insight into how widespread, and how effective, RFC 5011 implementations are.
Hello, after the KSK Roll is before the KSK roll. I agree, even so our resolvers should be fine a script will check the query results for our IPv4 and IPv6 addresses. Thank you, Tore
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
On Oct 17, 2018, at 4:32 PM, Chris Thompson <cet1@cam.ac.uk<mailto:cet1@cam.ac.uk>> wrote: Also, I hope that the RFC 8145 query monitoring will continue during this period and distinguish servers that have dropped KSK-2010 from their set of trust anchors from those that have not. This may give some insight into how widespread, and how effective, RFC 5011 implementations are. The ICANN org has no plans to shut off our RFC 8145 query processing, which processes RFC 8145 query reports we receive from most of the root operators and generates the graphs at http://root-trust-anchor-reports.research.icann.org. (ICANN's own L-root contributes to this data stream and we have no plans to stop reporting RFC 8145 queries from traffic received at L-root, either.) However, it's up to the other root operators to decide if they will continue to contribute data. The RFC 8145 data reporting was added to an existing query reporting mechanism already in place well before the rollover, so I'm hopeful everyone will be willing to keep the status quo. I can ask the various operators. Matt
I would like to publicly say that the KSK Roll went much much much better than I was expecting / predicting, and to congratulate ICANN (and the OCTO group in particular) for this. W On Mon, Oct 15, 2018 at 6:08 PM Edward Lewis <edward.lewis@icann.org> wrote:
LOS ANGELES – 15 October 2018 – The Internet Corporation for Assigned Names and Numbers (ICANN) has determined that the first-ever changing of the cryptographic key that helps protect the Domain Name System (DNS) has been completed with minimal disruption of the global Internet. It was the first time the key has been changed since it was first put in use in 2010.
After evaluation of the available data, there does not appear to be a significant number of Internet end-users who have been persistently and negatively impacted by the changing of the key.
The few issues that have arisen appear to have been quickly mitigated and none suggested a systemic failure that would approach the threshold (as defined by the ICANN community) to initiate a reversal of the roll. In that context, it appears the rollover to the new Key Signing Key, known as KSK 2017, has been a success.
At this point, there are no indications it is necessary to back out of the rollover and ICANN will now proceed to the next step in the rollover process: revoking the old KSK, known as KSK 2010 during the next key ceremony in the first quarter of 2019.
"This successful exercise of the infrastructure necessary to roll the root zone's key has demonstrated it is possible to update the key globally," said David Conrad, ICANN's Chief Technology Officer. "It also provided important insights that will help us with future key rolls,"
The final decision to roll the root zone Key Signing Key (KSK) was made by ICANN President and CEO Göran Marby after reviewing the outcomes of the efforts of ICANN and others, particularly in the Domain Name System (DNS) technical community. These outcomes were the result of significant global outreach efforts, in consultation with the ICANN community, and after extensive analysis of available data.
With the final approvals in place, ICANN implemented the 16 September 2018 resolution of ICANN's Board. The resolution stated that the organization should proceed with its revised plans to change or "roll" the key for the DNS root on 11 October 2018.
To learn more about the Root KSK Rollover, visit its dedicated webpage and primary source of information: http://www.icann.org/kskroll
About ICANN ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.
https://www.icann.org/news/announcement-2018-10-15-en
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
-- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
I agree with Warren. Slow, but steady. Kudos! From: ksk-rollover <ksk-rollover-bounces@icann.org> On Behalf Of Warren Kumari Sent: Tuesday, October 16, 2018 8:24 PM To: Edward Lewis <edward.lewis@icann.org> Cc: ksk-rollover@icann.org Subject: Re: [ksk-rollover] First Root KSK Rollover Successfully Completed I would like to publicly say that the KSK Roll went much much much better than I was expecting / predicting, and to congratulate ICANN (and the OCTO group in particular) for this. W On Mon, Oct 15, 2018 at 6:08 PM Edward Lewis <edward.lewis@icann.org<mailto:edward.lewis@icann.org>> wrote: LOS ANGELES – 15 October 2018 – The Internet Corporation for Assigned Names and Numbers (ICANN) has determined that the first-ever changing of the cryptographic key that helps protect the Domain Name System (DNS) has been completed with minimal disruption of the global Internet. It was the first time the key has been changed since it was first put in use in 2010. After evaluation of the available data, there does not appear to be a significant number of Internet end-users who have been persistently and negatively impacted by the changing of the key. The few issues that have arisen appear to have been quickly mitigated and none suggested a systemic failure that would approach the threshold (as defined by the ICANN community) to initiate a reversal of the roll. In that context, it appears the rollover to the new Key Signing Key, known as KSK 2017, has been a success. At this point, there are no indications it is necessary to back out of the rollover and ICANN will now proceed to the next step in the rollover process: revoking the old KSK, known as KSK 2010 during the next key ceremony in the first quarter of 2019. "This successful exercise of the infrastructure necessary to roll the root zone's key has demonstrated it is possible to update the key globally," said David Conrad, ICANN's Chief Technology Officer. "It also provided important insights that will help us with future key rolls," The final decision to roll the root zone Key Signing Key (KSK) was made by ICANN President and CEO Göran Marby after reviewing the outcomes of the efforts of ICANN and others, particularly in the Domain Name System (DNS) technical community. These outcomes were the result of significant global outreach efforts, in consultation with the ICANN community, and after extensive analysis of available data. With the final approvals in place, ICANN implemented the 16 September 2018 resolution of ICANN's Board. The resolution stated that the organization should proceed with its revised plans to change or "roll" the key for the DNS root on 11 October 2018. To learn more about the Root KSK Rollover, visit its dedicated webpage and primary source of information: http://www.icann.org/kskroll<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.icann.org%2Fkskroll&data=02%7C01%7CKumar.Ashutosh%40microsoft.com%7C65f02fa3fd354c46b9c808d633774efb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636752984857923618&sdata=76dW51TE4x8V99iYQsZA4UnyXZ9z8INA9AqccRlwF9Y%3D&reserved=0> About ICANN ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world. https://www.icann.org/news/announcement-2018-10-15-en<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fnews%2Fannouncement-2018-10-15-en&data=02%7C01%7CKumar.Ashutosh%40microsoft.com%7C65f02fa3fd354c46b9c808d633774efb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636752984857933622&sdata=LcKR9syychYEhHxqvzkTzHA8Mo3Ghb37IjKNgrEVVV4%3D&reserved=0> _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org<mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fksk-rollover&data=02%7C01%7CKumar.Ashutosh%40microsoft.com%7C65f02fa3fd354c46b9c808d633774efb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636752984857933622&sdata=EW2kLQ7AaZR%2B9bGkhn3nj2cl2cd0EuQ5ETQEn0i0QQ0%3D&reserved=0> -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
I want to also add my congratulations to everyone that helped the KSK roll to be such a success!! As some folks may know, I was more optimistic about the KSK Roll than Warren but I think the Roll went even better than I expected. Particular thanks and recognition goes to the ICANN OCTO folks who put so much effort into the planning. For those that are interested in a summary of the Roll, the OCTO is scheduled to make a presentation on the results of the Roll during the DNSSEC Workshop at ICANN 63 on Oct 24th. Russ
On Oct 16, 2018, at 10:54 AM, Warren Kumari <warren@kumari.net <mailto:warren@kumari.net>> wrote:
I would like to publicly say that the KSK Roll went much much much better than I was expecting / predicting, and to congratulate ICANN (and the OCTO group in particular) for this.
W
On Mon, Oct 15, 2018 at 6:08 PM Edward Lewis <edward.lewis@icann.org <mailto:edward.lewis@icann.org>> wrote: LOS ANGELES – 15 October 2018 – The Internet Corporation for Assigned Names and Numbers (ICANN) has determined that the first-ever changing of the cryptographic key that helps protect the Domain Name System (DNS) has been completed with minimal disruption of the global Internet. It was the first time the key has been changed since it was first put in use in 2010.
After evaluation of the available data, there does not appear to be a significant number of Internet end-users who have been persistently and negatively impacted by the changing of the key.
The few issues that have arisen appear to have been quickly mitigated and none suggested a systemic failure that would approach the threshold (as defined by the ICANN community) to initiate a reversal of the roll. In that context, it appears the rollover to the new Key Signing Key, known as KSK 2017, has been a success.
At this point, there are no indications it is necessary to back out of the rollover and ICANN will now proceed to the next step in the rollover process: revoking the old KSK, known as KSK 2010 during the next key ceremony in the first quarter of 2019.
"This successful exercise of the infrastructure necessary to roll the root zone's key has demonstrated it is possible to update the key globally," said David Conrad, ICANN's Chief Technology Officer. "It also provided important insights that will help us with future key rolls,"
The final decision to roll the root zone Key Signing Key (KSK) was made by ICANN President and CEO Göran Marby after reviewing the outcomes of the efforts of ICANN and others, particularly in the Domain Name System (DNS) technical community. These outcomes were the result of significant global outreach efforts, in consultation with the ICANN community, and after extensive analysis of available data.
With the final approvals in place, ICANN implemented the 16 September 2018 resolution of ICANN's Board. The resolution stated that the organization should proceed with its revised plans to change or "roll" the key for the DNS root on 11 October 2018.
To learn more about the Root KSK Rollover, visit its dedicated webpage and primary source of information: http://www.icann.org/kskroll <http://www.icann.org/kskroll>
About ICANN ICANN's mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.
https://www.icann.org/news/announcement-2018-10-15-en <https://www.icann.org/news/announcement-2018-10-15-en>
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org <mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover <https://mm.icann.org/mailman/listinfo/ksk-rollover> -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org <mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover
Warren Kumari <warren@kumari.net> writes:
I would like to publicly say that the KSK Roll went much much much better than I was expecting / predicting, and to congratulate ICANN (and the OCTO group in particular) for this.
I'm particularly pleased to have seen no bump in traffic from the resolvers that had failed to update their keys, indicating (hopefully) that most deployed code bases no longer magnify requests under failure (aka roll-over-and-die). Well done to the ICANN community and organization for making this happen. -- Wes Hardaker USC/ISI
participants (13)
-
Chris Thompson -
Davey Song(宋林健) -
Edward Lewis -
Geoff Huston -
James Gannon -
Kumar Ashutosh -
Majid ; Mohammed Abdul -
Matt Larson -
Paul Wouters -
Russ Mundy -
Stelzner, Tore -
Warren Kumari -
Wes Hardaker