[NCSG-PC] Review NCSG Comment on KSK Rollover Draft

[Rafik Dammak]

Hi,

we are talking here about operators managing resolvers which are basically
ISPs, telco operators, and other infrastructure providers. They usually
have operations team and network engineers monitoring traffic and network
24/7. With outreach, they should be aware of the date of rollover
beforehand and plan for it but of course, some network operators are not
good at implementing best practices or doing the correct setup.

as the internet is a service used all the time and with its scale, there is
no perfect day to do "maintenance" or deployment or a way to avoid impact
some users. I won't really worry about it is in Friday or Monday. What
matters is the response in case of an outage and how that can be escalated
properly.

Best,

Rafik

2018-03-27 16:05 GMT+09:00 Farell FOLLY <farell at benin2point0.org>:

> Of course Ayden, You are right. Changing crypto keys, especially in case
> of the rollover (and it will impact iteratively all subsequents operators),
> should be given due attention and be processed at a properly chosen time.
> Otherwise, this can lead to a (at least) 2 days Internet blackout or huge
> disturbance and it will even be difficult to recover because resolvers
> would not then be able to communicate.
>
>
> @__f_f__
>
> Best Regards
> ____________________________________
>
> Ekue (Farell) FOLLY
> Technology Champion & Chapter Head
> Africa 2.0 Foundation.
> farell at benin2point0.org
> www.africa2point0.org
> linkedin.com/in/farellf
> twitter.com/@__f_f__
>
>
>
>
>
>
> On 26 Mar 2018, at 16:49, Ayden Férdeline <icann at ferdeline.com> wrote:
>
> Another thought:
>
> The proposed roll over date is a Thursday in the evening (US), which is
> Friday in many parts of the world. If something went wrong, Friday may be
> an inopportune time for this to happen. Might it be better for the
> rollover, whenever it does occur, to happen on a Monday?
>
> Ayden
>
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On 26 March 2018 2:46 PM, Renata Aquino Ribeiro <raquino at gmail.com> wrote:
>
> [observer]
>
> Hi
>
> I agree governmental actors should not really be the ones with this
> discussion in mind.
>
> This is a hot topic in RIRs
> LACNIC tour to ICANN in Vice News being case in point
> https://lists.ncuc.org/pipermail/ncuc-discuss/2018-March/043809.html
>
> Outreach to endpoints of industry chain is the best way to deal with the
> theme and is well covered by the comment.
>
> Best,
>
> Renata
>
>
>
>
>
> On Sun, Mar 25, 2018 at 9:03 PM, Rafik Dammak <rafik.dammak at gmail.com>
> wrote:
>
>> Hi Ayden,
>>
>> Thank for those questions and review, looking for other PC members to do
>> so.
>> maybe something we can check with the draft team as they reviewed the
>> material?
>> I am not security expert but my understanding that risks depend on the
>> threat model for this case.
>> for outreach, ICANN did, in fact, contact government regulators and
>> relevant authorities to share info with their local operators for the first
>> iteration to inform them about KSK rollover. tbh I won't count on GAC to do
>> such thing. Of course, more can be done but it is always challenging.
>> I guess a monthly report may or not be used by users but at least can be
>> a good transparency tool, identifying operators and can be used by the
>> technical community itself not edn-users.
>>
>> Best,
>>
>> Rafik
>>
>> 2018-03-25 6:10 GMT+09:00 Ayden Férdeline <icann at ferdeline.com>:
>>
>>> Hi all,
>>>
>>> Thanks to those who drafted this.
>>>
>>> From what I understand, delaying the now overdue KSK rollover yet again
>>> would increase the risk of key compromise. Security best practices suggest
>>> that ICANN should rollover the key on a regular basis. Are there any
>>> dangers to us supporting another postponement?
>>>
>>> I think our recommendation that the publication of a "monthly trust
>>> anchor report will give those Internet users who identify their local
>>> operators as “not ready” an opportunity to reach out to them directly prior
>>> to the root KSK rollover date" is far-fetched. I doubt any end-users will
>>> read it and take action. I believe the onus should be on ICANN (and
>>> possibly the GAC) to reach out to local operators who are not ready...
>>>
>>> Best wishes,
>>>
>>> Ayden
>>>
>>>
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>> On 21 March 2018 6:28 PM, Rafik Dammak <rafik.dammak at gmail.com> wrote:
>>>
>>> Hi all,
>>>
>>> A draft we have to review for endorsment  asap,  the deadline for
>>> submission is the 2nd April.
>>>
>>> Best,
>>>
>>> Rafik
>>>
>>> ---------- Forwarded message ---------
>>> From: Louise Marie Hurel <louise.marie.hsd at gmail.com>
>>> Date: Thu, Mar 22, 2018, 3:23 AM
>>> Subject: [Public Comments] NCSG Comment on KSK Rollover Draft
>>> To: <NCSG-DISCUSS at listserv.syr.edu>
>>> Cc: Tomslin Samme-Nlar <mesumbeslin at gmail.com>, Dina Solveig Jalkanen <
>>> icann at thomascovenant.org>, Rafik Dammak <rafik.dammak at gmail.com>
>>>
>>>
>>> Hi all,
>>>
>>> Comments on the Plan to Restart the Root Key Signing Key (KSK) Rollover
>>> Process opened early February this year
>>> <https://www.icann.org/public-comments/ksk-rollover-restart-2018-02-01-en>.
>>> For those who have not been following the process that closely, KSK serves
>>> as a trust anchor for DNSSEC and was last (and for the first time) signed
>>> in 2010. ICANN had scheduled to implement a new key in October. However,
>>> they decided to postpone the signing of new cryptographic keys for the DNS
>>> after finding that the resolvers used by ISPs and network operators were
>>> still not ready and there's a need for more data in prepping for it.
>>>
>>> While the comment is narrow and highly technical in its scope, the
>>> overall idea of the process can be read as taking the next step in
>>> consolidating a way of periodically changing keys -- thus enhancing
>>> security and resilience in the DNS.
>>>
>>> Tomslin, Dina and I have worked on this draft
>>> <https://docs.google.com/document/d/1VNxn4UJlk8z196Kz56ucAdgyWp0ua9NmdHexRE1Wkhc/edit>
>>> and would be happy to get more comments edits, suggestions on this. Feel
>>> free to jump in.
>>>
>>> For more info, see here
>>> <https://www.icann.org/news/announcement-2017-09-27-en> and here
>>> <https://www.icann.org/en/system/files/files/plan-continuing-root-ksk-rollover-01feb18-en.pdf>
>>> .
>>>
>>> All the best,
>>>
>>> Louise Marie Hurel
>>> Cybersecurity Project Coordinator | Igarapé Institute
>>> London School of Economics (LSE) Media and Communications (Data and
>>> Society)
>>> Skype: louise.dias
>>> +44 (0) 7468 906327 <+44%207468%20906327>
>>> *l.h.dias at lse.ac.uk <l.h.dias at lse.ac.uk> *
>>> louise.marie.hsd at gmail.com
>>>
>>>
>>>
>>
>> _______________________________________________
>> NCSG-PC mailing list
>> NCSG-PC at lists.ncsg.is
>> https://lists.ncsg.is/mailman/listinfo/ncsg-pc
>>
>>
> _______________________________________________
> NCSG-PC mailing list
> NCSG-PC at lists.ncsg.is
> https://lists.ncsg.is/mailman/listinfo/ncsg-pc
>
>
>
> _______________________________________________
> NCSG-PC mailing list
> NCSG-PC at lists.ncsg.is
> https://lists.ncsg.is/mailman/listinfo/ncsg-pc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20180327/a18214d5/attachment.htm>