<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mv="http://macVmlSchemaUri" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1027"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><a href="https://www.icann.org/news/blog/update-on-the-root-ksk-rollover-project">https://www.icann.org/news/blog/update-on-the-root-ksk-rollover-project</a><o:p></o:p></span></p>
<div style="border:none;border-bottom:solid windowtext 1.5pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">The ICANN org is today announcing that it will not roll the root zone KSK in the first quarter of 2018.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">We have decided that we do not yet have enough information to set a specific date for the rollover. We want to make clear, however, that the ICANN org is committed to rolling the
root zone KSK and we will continue to discuss this important process with the community, gather their feedback and give all interested parties advance notice of at least one calendar quarter when we set the date for the rollover.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">Furthermore, we are soliciting input from the community to help determine, if possible, appropriate objective criteria to measure the possible negative impact of the root KSK rollover
on Internet users, and acceptable values for those criteria before a rollover. This is in accordance with the bottom-up, multi-stakeholder model that has been so successful for ICANN policy development.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">On 27 September 2017, the ICANN org
<a href="https://www.icann.org/news/announcement-2017-09-27-en"><span style="color:blue">announced</span></a> it was postponing the root zone KSK rollover for at least one quarter, leaving open the possibility the root KSK rollover might occur in the first
quarter of 2018. We have since realized that our analysis and preparation will require additional time.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">In a
<a href="https://www.icann.org/news/blog/update-on-the-root-ksk-roll-project"><span style="color:blue">previous post</span></a>, we described our analysis of recursive resolver trust anchor configuration information reported using the protocol defined in
<a href="https://www.rfc-editor.org/rfc/rfc8145.txt"><span style="color:blue">RFC 8145</span></a>,
<i>Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)</i>. Our analysis revealed that about 4% of the approximately 12,000 DNSSEC-validating resolvers reporting during the month of September 2017 were configured with only KSK-2010 (the shorthand
for the current root KSK) and would have been unable to resolve DNS queries after the rollover occurred.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">The ICANN org's decision to postpone the rollover was based on the concern that we did not understand why those resolvers were not properly configured, and we needed time to investigate.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">Since then, we have attempted to contact the operators of 500 addresses that had reported a resolver configuration with only KSK-2010 instead of the correct configuration of both
KSK-2010 and the new KSK, KSK-2017. Ideally, that investigation would have revealed a set of clear causes for the improper configuration, allowing further communication and actions to be targeted at addressing those specific issues. But in the end, the analysis
was not as conclusive as we would have hoped.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">In our initial attempt, we received a response from operators of approximately 20% of the 500 addresses. Of those addresses whose operators we could contact, 60% came from address
ranges known to host devices with dynamic addresses, such as routers of home broadband users and ephemeral virtual machines, making these resolvers extremely difficult (if not impossible) to track down. About 25% of the addresses corresponded to a resolver
forwarding on behalf of another resolver that was reporting only KSK-2010. Since the address of the device reporting the incorrect configuration was not the actual source resolver, it is extremely difficult (if not impossible) to identify the true source address
of the resolver that was reporting only KSK-2010.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">To proceed with the root KSK rollover, the ICANN org must have confidence that the rollover will not have an unacceptable negative impact on Internet users. The challenge we have
encountered since we began to analyze the RFC 8145 trust anchor configuration reports from resolvers is assessing the impact on users.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">We can make a number of assumptions: for example, it is unlikely that a recursive resolver running at a dynamic address could support a large number of users since it does not offer
a stable address for any devices to send queries to for resolution. But ultimately, determining potential user impact based on the data available to us is difficult and we are therefore soliciting the community's input.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">Input and discussion on acceptable criteria for proceeding with the KSK roll will take place on an existing email list that is already being used for discussion of the root KSK rollover.
We encourage anyone interested in contributing to join the mailing list by visiting the web page
<a href="https://mm.icann.org/mailman/listinfo/ksk-rollover"><span style="color:blue">here</span></a>.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">The ICANN org will monitor this mailing list and beginning on 15 January 2018, we will develop a draft plan for proceeding with the root KSK roll based on the input received and
discussion on the mailing list. The plan will be published by 31 January 2018 and undergo a formal ICANN public comment process to gather further input. We will hold a session at ICANN61 in San Juan, Puerto Rico, to discuss the plan and hear from the community
in person. Our intent is to have a revised plan available for community review and public comment prior to ICANN62 in Panama City, Panama, with a final plan published soon thereafter.<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11.0pt">Throughout the process we'll continue to keep the community updated on the root KSK rollover project's progress.<o:p></o:p></span></p>
</div>
</body>
</html>