Re: [DNSOP] Informal meeting about root KSK futures at IETF 103

George Michaelson <> Tue, 30 October 2018 00:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 214ED12426A for <>; Mon, 29 Oct 2018 17:45:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5vidweRyrhx4 for <>; Mon, 29 Oct 2018 17:45:35 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 048C9131001 for <>; Mon, 29 Oct 2018 17:45:35 -0700 (PDT)
Received: by with SMTP id 189-v6so10048804wmw.2 for <>; Mon, 29 Oct 2018 17:45:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Itc9lHnjwRsmgsTmr3Dtih05jK23rk2n+SIK78amFK8=; b=iL98VN+KlLJpfBrgu7lPZL+6G7/De+JwN69y8wC82qHA/jlGouzSrMlJ1KnMe3eW3m Cr9hAph2amsrfIsxazJ5fRBcAljXqmYsVFtFS/6RqVY93UaPZGqPcO2WauL+ZGsz5rO7 SK6RgoMeGhemw0yKJvYXg6d9j+nhvrFRCKYxH8IPHykMfnp11EldIKvYH1mP1mAIYneQ z4PkO65iW5SJvZFGS0oDh0fGB//iWx5nqLZJ+/xCPCzylJaKlu0Q7fvqGbTT25dOmchQ QnLZz+3KZOKS/JCIiUbpqn/TMfT7f6TN4ESUKCF/z8uT1FZaLsGkT4T4ZQZ6VdkZVoH+ wAHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Itc9lHnjwRsmgsTmr3Dtih05jK23rk2n+SIK78amFK8=; b=hVbVRBuwMOgkLgn9xPTwRYhiW6oy5z20prw1qnft3B0h0V8+JFCPadH84V2GonvlkP 6B/lDs7BLBHHrbsv2NgeN2GosbcdJ2gZKWX7eTVealXfMM6+YjxyiWnbFkYoIp8vUjAw egusyuL5kqwR0YBzVK8VMd2qlVE7CJ8ExR7Gq/A/NWssXzLmAZmeUE3C7GrhCHpoRSg0 2mFa9lNyXaV9hzv4oexlBIWxFPaCgzEi4+8LZHJH7HosRwFZcdH3WW43OLMUsKvScO4x ukZmV3nrboxSQxVCJvEh7ooV35kGEC/v7rh1UT5wlVGaEuTmAeRUt2b9eolrZj0HJ0Nn A0Eg==
X-Gm-Message-State: AGRZ1gIlmt+3GkQqeHwB6hxlK3jyv4oA+ng49/vL/IsTfN9enFoetxDg UhrQpyfBaHML/j6gfw2DTZIv3NGU4tKYM14tJBzTYg==
X-Google-Smtp-Source: AJdET5e10UZQ7FBj2e7a9QGQbC9pgQ4H/jVMt5QmCL5G1+IuOUfn6PBjPPkn1Dl5ucZL49vdiyzeBdZbCjatTY3E9Ag=
X-Received: by 2002:a1c:b20d:: with SMTP id b13-v6mr28273wmf.141.1540860333281; Mon, 29 Oct 2018 17:45:33 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: George Michaelson <>
Date: Tue, 30 Oct 2018 10:45:21 +1000
Message-ID: <>
Cc: dnsop WG <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [DNSOP] Informal meeting about root KSK futures at IETF 103
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Oct 2018 00:45:38 -0000

as usual, billions arithmetic got me. 0.001 * 2,300,000,000 is 2,300,000

so thats a few dodgers stadiums more than I said...

On Tue, Oct 30, 2018 at 10:41 AM George Michaelson <> wrote:
> There is a tension between assumed privacy ("this is my resolver, what
> I run is my business, how I run it is my business") of entities
> running resolvers, and customers ("this is my DNS query. what I ask is
> my business") and providers of infrastructure ("this is my liability:
> the consequences of not understanding what we are doing expose me to
> high consequence risk")
> Some significant players in DNS conversations have been remarkably
> oppositional to instrumenting the protocol.
> I think on balance the question "can your resolver survive the KSK
> roll" is not a massive invasion of privacy, is not a huge impost on
> providers of DNS service, does not interfere with implied rights to
> privacy. We should have better knowledge. We should instrument the
> resolver. The protocol. We should not be forced to do ludicrous things
> to find this out, it should be as innate as the telnet capability
> negotiation, or the HTTP client/server capability negotiation. We know
> how to do these things.
> I am statist. I do not pretend states don't exist. I am not a
> libertarian, I am not trumpeting DNS as a tool for individual liberty.
> DNS is a useful functional element which now has consequence when it
> doesn't operate correctly.
> We've walked a long way into an industry self-regulation outcome which
> I feel is as consequential as 250v or 50hz, both of which are defined
> parameters with variances and tolerances which people in the
> electricty supply industry have to respect, to remain protected by
> public liability insurance. We should consider the public DNS in the
> same light: If we want to avoid opprobrium over mis-steps in operating
> the root of the DNS, we should adopt a rational posture akin to the
> ones in Power, Water, Sewerage, because thats what we are: a public
> utility function. With public utility liability questions.
> Rightly or wrongly DNS is a critical service, which has potential for
> wide impact which is not good. It didn't (this time) at scale, in as
> much as nobody has come forward to say it did: The assumption there
> has been *no* damage, or *no* loss of service feels to me wrong. I am
> (as a gambling man) confident it was low, in as much as 2.3b users
> didn't rise up and grab pitchforks. I bet it was big enough (remember,
> 0.001 of 2.3b is 23,000) that you'd fill an auditorium.
> Is 1 in 1000 an acceptable damage rate? is 99.999% unaffected ok? Why
> is 98% not ok? or 97%? Where IS the acceptable damage boundary? Who
> gets to say what will be tolerated as loss in the DNS system, for what
> period of time?
> If we want to "plan" for rolls, I think we should stop allowing "not
> on my server" to impede DNS protocol design which would provide
> un-ambiguous signal of capability in the field. And "not in my
> protocol" too. If you offer a service like or or
> you should be in a position of community obligation to be
> completely clear what your posture is towards KSK roll, algorithm
> roll. If you can't support it, you should say so. If that means people
> are advised to TURN YOU OFF that needs to be understood.
> If we want to perform algorithm roll, get stand-by keys, we should be
> prepared to argue for the changes which make it easier to do these
> things.
> -George
> On Tue, Oct 30, 2018 at 10:29 AM Steve Crocker <> wrote:
> >
> > I had advocated early and frequent rollovers for precisely the reason: keep doing it until it’s easy, so we’re in strong agreement.
> >
> > Yes, this one actually went smoothly but there was some tension.  Aside from any specific improvement, reducing the tension and sense of drama is mainly what I had in mind.
> >
> > Thanks,
> >
> > Steve
> >
> > On Mon, Oct 29, 2018 at 8:23 PM Joe Abley <> wrote:
> >>
> >> Hi Steve,
> >>
> >> There will always be the potential for tension between the desire to perform measurement and the need for privacy. In this case it seems to me that a well-intentioned and competent authority, supported by a well-intentioned and occasionally-coherent community has a plausible and sensible desire to understand the configuration of resolvers. I imagine others might see things differently, however. I suspect that having a clean signal that can be relied upon is going to at least change the extent to which client infrastructure is private.
> >>
> >> Your last paragraph caught my eye, though. It could be argued that the rollover that just completed was straightforward, at least from a technical perspective. The delays, uncertainty, concern and unfulfilled doomsaying were the things that made it difficult. (It's easy to load that last sentence so that the concern looks ridiculous given the outcome; I am fully aware that the hyperbole would be the thing that looked ridiculous if things had turned out differently.)
> >>
> >> To what extent does a regular and frequent cadence of key rollovers obviate the need for concern? It seems to me that at some point down the road if a key roll breaks someone's network, it's going to be much easier to point the finger at the network operator than at whomever is responsible for rolling the key. Perhaps the way to eliminate the things that made the first rollover hard is just to keep doing it until it's officially easy.
> >>
> >>
> >> Joe
> >>
> >> On 29 Oct 2018, at 18:46, Steve Crocker <> wrote:
> >>
> >> I won't be in Bangkok, so I won't be able to participate.  In my view, there were two specific problems that dominated the rollover problem.  The first was the inability to determine the configuration of querying resolver.  The second was the in ability to notify resolver operators if it was evident their software was misconfigured.
> >>
> >> Although these two problems became evident and important during the rollover, they also apply more generally, so if the IETF is going to work on improvements, it would be helpful if the improvements would be useful in the event of other configuration or operational issues.  Ideally, every resolver that issues a query would provide configuration information, perhaps in a controlled fashion, and there should also be a way to notify the resolver operator of operational problems.
> >>
> >> We will need to do more rollovers in the future, driven at least in part by the need to change algorithms.  I would hope we can work toward making these relatively straightforward.
> >>
> >> Thanks,
> >>
> >> Steve
> >>
> >>
> >> On Mon, Oct 29, 2018 at 12:36 PM Dave Lawrence <> wrote:
> >>>
> >>> Dave Lawrence writes:
> >>> > Count me as another, for that very reason.  When I first saw Paul's
> >>> > message I thought, "oh that's a shame" but figured it to be fairly
> >>> > set.  If there's flexibility for making the meeting happen earlier in
> >>> > the week, I'd be interested.
> >>>
> >>> Following up to my own message, since this was further down in my box
> >>> on another list...
> >>>
> >>> ------- start of forwarded message (RFC 934 encapsulation) -------
> >>> From: Paul Hoffman <>
> >>> Subject: Re: [ksk-rollover] Informal meeting at IETF 103
> >>> To: "" <>
> >>>
> >>> Based on some requests from folks who are leaving the IETF meeting
> >>> early, I have also reserved a meeting room for 1600-1700 Wednesday
> >>> afternoon (local time), Pagoda Room on the 4th floor.
> >>>
> >>> And just to emphasize: the purpose of this week's informal gatherings is
> >>> to let folks in the IETF community chat about their ideas in front of
> >>> other IETFers. This is similar to the KSK-related mic lines at the
> >>> DNS-OARC and RIPE meetings a few weeks ago. These IETF side-meetings
> >>> really are just slightly-better-organized hallway discussions. Given the
> >>> wide range of proposals we have already heard, it is good to get a bit
> >>> of face-to-face sharing going early.
> >>>
> >>> We won't start formal planning about the KSK futures until after the
> >>> rollover process is complete*. When we do, we'll do it in discussion
> >>> environments that are much more inclusive than these informal IETF
> >>> side-meetings or the mic lines at other technical meetings.
> >>>
> >>> [...]
> >>> ------- end -------
> >>>
> >>> _______________________________________________
> >>> DNSOP mailing list
> >>>
> >>>
> >>
> >> _______________________________________________
> >> DNSOP mailing list
> >>
> >>
> >>
> >>
> > _______________________________________________
> > DNSOP mailing list
> >
> >