Skip to main content

Announcing Draft Plan For Continuing With The KSK Roll

A formal ICANN public comment period has been opened to receive community input on a draft plan [PDF, 93 KB] to proceed with the KSK rollover project. This comment period will run until 1 April 2018 and we are eager to receive any and all comments.

The plan calls for rolling the root zone KSK on 11 October 2018 (one year later than originally planned), continuing extensive outreach to notify as many resolver operators as possible, and publishing more observations of the RFC 8145 trust anchor report data. Additional details are contained within the plan.

In addition, we are planning a session at ICANN61 in Puerto Rico, to further discuss the plan and obtain additional feedback.

The draft plan follows our posting in late December, in which the ICANN organization announced next steps in the process to resume the root KSK rollover project. We described our efforts to track down the operators of DNS resolvers that were not ready for the rollover.

Using a protocol described in RFC 8145, these problematic resolvers had reported to the root servers a trust anchor configuration with only the current KSK (known as KSK-2010) and not the newer KSK (known as KSK-2017).

In our December posting we also detailed the difficulty in contacting operators, and noted that when we were able to reach an operator, we learned that there were a variety of causes for the resolver’s lagging configuration.

The bottom line is that these findings did not afford much clarity as to the next steps for mitigating specific causes nor did they afford any guidance for appropriate messaging. Faced with this situation, we announced our intention to solicit input from the community on acceptable criteria for proceeding with the root KSK roll.

Since that posting in December, a robust community discussion ensued between interested community members. There was agreement during these discussions that there is no way to accurately measure the number of users who would be affected by rolling the root KSK, even though there was a belief that better measurements may become available for future KSK rollovers.

The consensus of those involved in the discussions was that the ICANN org should proceed with rolling the root zone KSK in a timely fashion while continuing outreach to ensure that the word of the rollover reach as wide an audience as possible.

We look forward to continuing to work with the ICANN community to roll the root zone KSK.

Comments

    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."