Re: [DNSOP] Informal meeting about root KSK futures at IETF 103

George Michaelson <> Tue, 30 October 2018 00:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 12851131001 for <>; Mon, 29 Oct 2018 17:42:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZMLPOAv-Z08t for <>; Mon, 29 Oct 2018 17:41:57 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0882E12426A for <>; Mon, 29 Oct 2018 17:41:57 -0700 (PDT)
Received: by with SMTP id i17-v6so10615289wre.7 for <>; Mon, 29 Oct 2018 17:41:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=mwzfHu8a3Ksuep+XZwYymAxHzDXKTybCflbVhGKzGyE=; b=v3TibrMfWyOs6MdiGKTdl4JDI4qK3WzHv4R0PmlMeXPj1aePybokTu9TJIQ63TO0F9 WNP2enrf8c2poP2VF/0YaQ+uAASNE0SeeweQ5vD9QjeHORv8ZyteWRJscxWgAPjuAyjq 46y3G0jyuWmoZSACPyWcJBdQCBAMQq5V95hMpP99I6mPaz/YtBj/R1fpaxGtJdcU83O3 sSeq58Z6xZH4WlsykgYaDHrd5yj+ZB9e+sTp1VoAYlSPsDzW9oHpVIjVaO5MwojcyIl/ Onxy94GMBAI6Cb/OFuueMKSJAY1V/5kknvEn3ZuCBdkdUb1YffwhH5aZ0FScw9VePhkX au7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=mwzfHu8a3Ksuep+XZwYymAxHzDXKTybCflbVhGKzGyE=; b=IVwndzkjas0mrkqD7eWngjxdTaKzAxUVWGFyi1rcf/hwOWNNWl47oO5CX9CwZdjy6D hjQ6QS6QzVrM81J49dVF70eufz8rp3lijZQ/+jGJuQ18zMXhpjOIiueHPyAiwvk+NWD2 /wK/ybLfT2ac6JjXbMkd9XmdUE3gcK8e/4zU0nEqHKs7fqtIJrOp3wg9NULRVnGpyKQj 69p+cCs5Cv1FVdkQi0gUnrWnZg5ww/V+5YeShZ2rmNJUZMZ3UqZTLb66IPR5MRSdSrZ0 kBX6tYG+FLpKAMsKcNvooSqXXVfinrWzmrT+fGEFpOYKJkETOwbu2ANXN07gzCa6QMz8 WAuQ==
X-Gm-Message-State: AGRZ1gJZ8liNM883Veok5v3XMH6/h/TOLEdAsa4ZWRPHQAP2ree52aeG ahFBGm/nSnCD22d4Yru0lrt/r2xHY4xg8FhBuxFrxq/y
X-Google-Smtp-Source: AJdET5dSppHArE/AY3VTiqITu9i/SDJiU7oBNLjflJeOKdt0mov7v5sW8XrA4dZ/b4X3yPgLmhMeu4GFkPeLghdi9dw=
X-Received: by 2002:a5d:4b0f:: with SMTP id v15-v6mr15514414wrq.180.1540860115110; Mon, 29 Oct 2018 17:41:55 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
From: George Michaelson <>
Date: Tue, 30 Oct 2018 10:41:43 +1000
Message-ID: <>
Cc: dnsop WG <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [DNSOP] Informal meeting about root KSK futures at IETF 103
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Oct 2018 00:42:03 -0000

There is a tension between assumed privacy ("this is my resolver, what
I run is my business, how I run it is my business") of entities
running resolvers, and customers ("this is my DNS query. what I ask is
my business") and providers of infrastructure ("this is my liability:
the consequences of not understanding what we are doing expose me to
high consequence risk")

Some significant players in DNS conversations have been remarkably
oppositional to instrumenting the protocol.

I think on balance the question "can your resolver survive the KSK
roll" is not a massive invasion of privacy, is not a huge impost on
providers of DNS service, does not interfere with implied rights to
privacy. We should have better knowledge. We should instrument the
resolver. The protocol. We should not be forced to do ludicrous things
to find this out, it should be as innate as the telnet capability
negotiation, or the HTTP client/server capability negotiation. We know
how to do these things.

I am statist. I do not pretend states don't exist. I am not a
libertarian, I am not trumpeting DNS as a tool for individual liberty.
DNS is a useful functional element which now has consequence when it
doesn't operate correctly.

We've walked a long way into an industry self-regulation outcome which
I feel is as consequential as 250v or 50hz, both of which are defined
parameters with variances and tolerances which people in the
electricty supply industry have to respect, to remain protected by
public liability insurance. We should consider the public DNS in the
same light: If we want to avoid opprobrium over mis-steps in operating
the root of the DNS, we should adopt a rational posture akin to the
ones in Power, Water, Sewerage, because thats what we are: a public
utility function. With public utility liability questions.

Rightly or wrongly DNS is a critical service, which has potential for
wide impact which is not good. It didn't (this time) at scale, in as
much as nobody has come forward to say it did: The assumption there
has been *no* damage, or *no* loss of service feels to me wrong. I am
(as a gambling man) confident it was low, in as much as 2.3b users
didn't rise up and grab pitchforks. I bet it was big enough (remember,
0.001 of 2.3b is 23,000) that you'd fill an auditorium.

Is 1 in 1000 an acceptable damage rate? is 99.999% unaffected ok? Why
is 98% not ok? or 97%? Where IS the acceptable damage boundary? Who
gets to say what will be tolerated as loss in the DNS system, for what
period of time?

If we want to "plan" for rolls, I think we should stop allowing "not
on my server" to impede DNS protocol design which would provide
un-ambiguous signal of capability in the field. And "not in my
protocol" too. If you offer a service like or or you should be in a position of community obligation to be
completely clear what your posture is towards KSK roll, algorithm
roll. If you can't support it, you should say so. If that means people
are advised to TURN YOU OFF that needs to be understood.

If we want to perform algorithm roll, get stand-by keys, we should be
prepared to argue for the changes which make it easier to do these

On Tue, Oct 30, 2018 at 10:29 AM Steve Crocker <> wrote:
> I had advocated early and frequent rollovers for precisely the reason: keep doing it until it’s easy, so we’re in strong agreement.
> Yes, this one actually went smoothly but there was some tension.  Aside from any specific improvement, reducing the tension and sense of drama is mainly what I had in mind.
> Thanks,
> Steve
> On Mon, Oct 29, 2018 at 8:23 PM Joe Abley <> wrote:
>> Hi Steve,
>> There will always be the potential for tension between the desire to perform measurement and the need for privacy. In this case it seems to me that a well-intentioned and competent authority, supported by a well-intentioned and occasionally-coherent community has a plausible and sensible desire to understand the configuration of resolvers. I imagine others might see things differently, however. I suspect that having a clean signal that can be relied upon is going to at least change the extent to which client infrastructure is private.
>> Your last paragraph caught my eye, though. It could be argued that the rollover that just completed was straightforward, at least from a technical perspective. The delays, uncertainty, concern and unfulfilled doomsaying were the things that made it difficult. (It's easy to load that last sentence so that the concern looks ridiculous given the outcome; I am fully aware that the hyperbole would be the thing that looked ridiculous if things had turned out differently.)
>> To what extent does a regular and frequent cadence of key rollovers obviate the need for concern? It seems to me that at some point down the road if a key roll breaks someone's network, it's going to be much easier to point the finger at the network operator than at whomever is responsible for rolling the key. Perhaps the way to eliminate the things that made the first rollover hard is just to keep doing it until it's officially easy.
>> Joe
>> On 29 Oct 2018, at 18:46, Steve Crocker <> wrote:
>> I won't be in Bangkok, so I won't be able to participate.  In my view, there were two specific problems that dominated the rollover problem.  The first was the inability to determine the configuration of querying resolver.  The second was the in ability to notify resolver operators if it was evident their software was misconfigured.
>> Although these two problems became evident and important during the rollover, they also apply more generally, so if the IETF is going to work on improvements, it would be helpful if the improvements would be useful in the event of other configuration or operational issues.  Ideally, every resolver that issues a query would provide configuration information, perhaps in a controlled fashion, and there should also be a way to notify the resolver operator of operational problems.
>> We will need to do more rollovers in the future, driven at least in part by the need to change algorithms.  I would hope we can work toward making these relatively straightforward.
>> Thanks,
>> Steve
>> On Mon, Oct 29, 2018 at 12:36 PM Dave Lawrence <> wrote:
>>> Dave Lawrence writes:
>>> > Count me as another, for that very reason.  When I first saw Paul's
>>> > message I thought, "oh that's a shame" but figured it to be fairly
>>> > set.  If there's flexibility for making the meeting happen earlier in
>>> > the week, I'd be interested.
>>> Following up to my own message, since this was further down in my box
>>> on another list...
>>> ------- start of forwarded message (RFC 934 encapsulation) -------
>>> From: Paul Hoffman <>
>>> Subject: Re: [ksk-rollover] Informal meeting at IETF 103
>>> To: "" <>
>>> Based on some requests from folks who are leaving the IETF meeting
>>> early, I have also reserved a meeting room for 1600-1700 Wednesday
>>> afternoon (local time), Pagoda Room on the 4th floor.
>>> And just to emphasize: the purpose of this week's informal gatherings is
>>> to let folks in the IETF community chat about their ideas in front of
>>> other IETFers. This is similar to the KSK-related mic lines at the
>>> DNS-OARC and RIPE meetings a few weeks ago. These IETF side-meetings
>>> really are just slightly-better-organized hallway discussions. Given the
>>> wide range of proposals we have already heard, it is good to get a bit
>>> of face-to-face sharing going early.
>>> We won't start formal planning about the KSK futures until after the
>>> rollover process is complete*. When we do, we'll do it in discussion
>>> environments that are much more inclusive than these informal IETF
>>> side-meetings or the mic lines at other technical meetings.
>>> [...]
>>> ------- end -------
>>> _______________________________________________
>>> DNSOP mailing list
>> _______________________________________________
>> DNSOP mailing list
> _______________________________________________
> DNSOP mailing list