ICANN Resolutions » Proceeding with KSK Rollover
Important note: The Board Resolutions are as reported in the Board Meeting Transcripts, Minutes & Resolutions portion of ICANN's website. Only the words contained in the Resolutions themselves represent the official acts of the Board. The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.
Whereas, ICANN org committed to roll the KSK "after 5 years of operation" as documented in the "DNSSEC Practice Statement for the Root Zone KSK Operator".
Whereas, ICANN org solicited a design team to prepare a full set of plans in order to implement the KSK roll.
Whereas, as part of the implementation of that plan, ICANN org collected certain data that raised questions relating to the impact of the KSK rollover on end users.
Whereas, ICANN org suspended the rollover on 27 September 2017 in order to understand the data being collected.
Whereas, ICANN org, in consultation with members of the DNS technical community, gained further understanding of the data that had been collected.
Whereas, ICANN org extrapolated the likely impact of the KSK roll.
Whereas, ICANN org has updated the full plan documents and created "Updated Plan for Continuing the Root KSK Rollover".
Whereas, the Board has received input from RSSAC, RZERC, and SSAC on the plan documents and that input indicates that those bodies found no reason to not continue with the updated plan for the KSK rollover and that portions of the community, in particular, those in the DNS technical community, have expressed concerns about the impact of further postponing the KSK rollover, specifically that: not moving forward with the KSK rollover would not be in keeping with the consensus of community expectations; is not supported by data obtained to date; could result in confusion about or loss of community attention to ICANN org's DNSSEC messaging; could encourage a belief that the KSK will never be rolled resulting in a risk of the current KSK getting embedded in hard-to-change system; and/or reduce confidence in DNSSEC as a trustworthy system.
Whereas, the anticipated number of end users negatively impacted by the KSK rollover is significantly less than the community-specified threshold of 0.5% of end users, and the identification and remediation of that negative impact should be straightforward for those affected.
Whereas, ICANN believes that the benefits to the community of proceeding with the rollover in a timely fashion outweigh the difficult to quantify risks.
Resolved (2018.09.16.11), that the Board instructs ICANN org to proceed with the KSK rollover as described in the "Updated Plan for Continuing the Root KSK Rollover".
The plan to roll the DNS root KSK was paused on 27 September 2017 due to unexpected data, specifically data received as a result of early implementations of RFC 8145, that raised questions related to how ready validating resolvers were for the roll that was scheduled to be implemented on 11 October 2017. ICANN org, along with others, analyzed that data and determined that there were indications that a relatively small percentage of resolvers were likely to be negatively impacted by the KSK rollover, however it was also established that the data was unsuitable for determining the number of end users that would be impacted.
Based on that research, ICANN org asked the technical community to recommend a plan of action. While there was a minority dissent, the majority of input from that community was that ICANN org should proceed with the KSK rollover procedure in an orderly fashion.
With that input, ICANN org created a summary plan, titled "Plan for Continuing the Root KSK Rollover", to roll the root KSK on 11 October 2018. ICANN org published the summary plan for community review on 1 February 2018 (see ). The time allowed for comments was extended beyond the normal 45 days to allow presentations about the plan at ICANN 61 in San Juan and IETF 101 in London and to request more community input at those fora.
The consensus of the community response received by 2 April 2018 was in favor of the published plan, with some suggestions of additional outreach that ICANN org has already done. Based on that community response, ICANN org created the "Updated Plan for Continuing the Root KSK Rollover", revising the original KSK roll plan documents to show which steps had already been taken and which steps still needed to be taken using the revised dates. These plan documents are available at .
The community input on the proposed plan came from a variety of Advisory Committees, Stakeholder Groups, organizations, and individuals. The Board requested explicit input from RSSAC, RZERC, and SSAC on the proposed plan. The following are responses to the Board's request:
RSSAC: RSSAC039, "RSSAC Statement Regarding ICANN's Updated KSK Rollover Plan" [PDF, 102 KB], 7 August 2018
RZERC: RZERC001, "Feedback on the Updated Plan for Continuing the Root Key Signing Key (KSK) Rollover" [PDF, 142 KB], 10 August 2018
SSAC: SAC102, "SSAC Comment on the Updated Plan for Continuing the Root KSK Rollover" [PDF, 85 KB], 17 August 2018
ICANN org considered all the findings in these three responses from Advisory Committees, particularly any findings that were hesitant about proceeding with the rollover. On balance, ICANN org interprets those findings as to indicate the risks of disruption to a very small number of Internet users who may never be prepared for a rollover as being less than the benefits of rolling the KSK now and regularly in the future. The attached reference material also lists the major objections to proceeding known to ICANN org along with responses to those objections.
The KSK rollover is not anticipated to have any fiscal impact on ICANN org that has not already been accounted for in the budgeted resources necessary for ongoing support of the root KSK rollover.
This decision is in the public interest and within ICANN's mission, as it supports ICANN org's work to ensure the stable and secure operation of the Internet's unique identifier systems.
This is an Organizational Administrative Function that does not require public comment beyond what has already been requested.