Skip to main content
Resources

Adopted Board Resolutions | Special Meeting of the ICANN Board

  1. Main Agenda:
    1. KSK Roll Current Status
    2. ICANN Board Leadership

 

  1. Main Agenda:

    1. KSK Roll Current Status

      Whereas, the Root Zone KSK (Key Signing Key) Operator DPS (DNSSEC Practice Statement) from 2010 contains this statement "Each RZ KSK will be scheduled to be rolled over through a key ceremony as required, or after 5 years of operation."

      Whereas, the technical community published in March 2016 a proposed plan to roll the DNS root KSK through a multi-step process that would last over a year.

      Whereas, ICANN organization published in July 2016 an operational implementation plan for ICANN to roll the DNS root KSK through a process where each step can be observed by the community to be sure that the process was not creating unexpected problems.

      Whereas, ICANN organization published in July 2016 an external test plan to allow DNS resolver operators to test their readiness for the anticipated KSK roll.

      Whereas, ICANN organization published in July 2016 a back out plan detailing how major steps in the plan to roll the KSK could be reversed in case significant security, stability, or resiliency issues in the DNS were discovered.

      Whereas, ICANN organization published in September 2016 a plan for monitoring the steps in the anticipated KSK roll in order to detect any anomalies that would affect the security, stability, or resiliency of the DNS.

      Whereas, for over a year, ICANN organization has been educating the community about the intended plan to roll the DNS root KSK through talks at operators meetings, interviews in the press, and general social media.

      Whereas, the CEO has informed the Board that most of the steps of the plan have been acted upon, that contingency plans are in place and that he will move forward so long as there are no significant observed effects on the security, stability, or resiliency of the DNS as a whole.

      Resolved (2017.09.23.01-A), the ICANN organization is directed to roll the DNS root KSK as soon as is practical.

      Rationale for Resolution 2017.09.23.01-A

      Why is the Board addressing this issue now?

      The next step in the KSK roll is anticipated to happen on September 19, 2017 when the root zone grows to its largest size due to normal addition of a second ZSK (Zone Signing Key). If there is no problem with the step that adds the ZSK, the next step is anticipated to happen on October 11, 2017, when the root zone will be signed with the new KSK; this is the full KSK roll. Assuming that these steps work well and no back out is required, there are a few more minor clean-up steps planned for future months.

      What is the proposal being considered?

      To instruct ICANN organization to continue with the plan expressed in "2017 KSK Rollover Operational Implementation Plan" (https://www.icann.org/en/system/files/files/ksk-rollover-operational-implementation-plan-22jul16-en.pdf [PDF, 741 KB]) and "2017 KSK Rollover Monitoring Plan" (https://www.icann.org/en/system/files/files/ksk-rollover-monitoring-plan-15sep16-en.pdf [PDF, 480 KB]), as modified by "2017 KSK Rollover Back Out Plan" (https://www.icann.org/en/system/files/files/ksk-rollover-back-out-plan-22jul16-en.pdf [PDF, 506 KB]) if needed.

      What stakeholders or others were consulted?

      Numerous technical stakeholders have been consulted for over a year. There have been detailed presentations at network operators' meetings throughout the world, at technical meetings such as IETF and DNS-OARC, and at ICANN meetings.

      The design team for the proposed plan included members of the technical community from around the world, who took detailed review comments during their creation of the plan.

      What significant materials did the Board review?

      The Board reviewed the documents linked from the page at https://www.icann.org/kskroll. That page has been widely referenced in the presentations mentioned above.

      Are there positive or negative community impacts?

      The main positive community impact is proof that ICANN can successfully act on our commitments to maintain the security, stability, and resiliency of the DNS root KSK. An additional positive impact is that the technical community has shown a greater interest in the technical implementation details of ICANN's key signing ceremonies. Taking this action is in the public interest as it contributes to the commitment of the ICANN organization to strengthen the security, stability, and resiliency of the DNS.

      To date, there have been no significant negative community impacts. During the future steps in the KSK roll, there may possibly be noticeable security, stability, or resiliency issues discovered with the roll process. If those issues are significant enough for ICANN to need to back out of the roll, the act of rolling back could cause different stability issues while lessening the issues from the roll. These are discussed in great detail in "2017 KSK Rollover Back Out Plan" (https://www.icann.org/en/system/files/files/ksk-rollover-back-out-plan-22jul16-en.pdf [PDF, 506 KB]), which has been widely reviewed in the technical community.

      Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?

      The next steps in the key roll are already accounted for in the operating plan and budget. It is not anticipated that the roll will cost the community or the public any money.

      Are there any security, stability or resiliency issues relating to the DNS?

      There are possible security, stability, or resiliency issues with rolling the root KSK if the roll exposes operational issues, but there are also significant security and resiliency issues of not rolling the root KSK. The balance between these two were considered by the technical community during the planning stages of the roll and there was strong consensus that performing the roll was warranted.

    2. ICANN Board Leadership

      Whereas, the current Chair of the ICANN Board will be departing from the Board at the close of ICANN's Annual Meeting in November 2017.

      Whereas, the ICANN Board as a whole has discussed and considered the succession of the Board's leadership, including during the Board's September 2017 workshop in Montevideo, Uruguay.

      Whereas, all current and incoming members of the Board had an opportunity to participate in the discussion of the Board's future leadership, and have indicated support for the future election of [REDACTED]. The Board followed the process as documented at https://www.icann.org/en/system/files/files/informing-leadership-slate-practice-10nov13-en.pdf [PDF, 44 KB].

      Whereas, the formal election of the next Chair and Vice-Chair of ICANN will be a matter for consideration of the ICANN Board seated after the close of ICANN's Annual Meeting in November 2017 (ICANN 60). As in prior years, the newly seated ICANN Board will convene an Organizational Meeting for the purposes of electing the Chair and Vice-Chair, identifying the Board Committee compositions, and other regular organizational items.

      Resolved (2017.09.23.02-A), the Board agrees that the Chair should provide a communication summarizing the workshop, including the Board leadership selections identified for inclusion in the slate to be considered and voted on at ICANN 60.

      Rationale for Resolution 2017.09.23.02-A

      The Board is taking this action today to support transparency and to demonstrate its commitment to a well-supported transfer of responsibilities in leading the Board. After six years under the same Chair, advance planning for the transfer of those responsibilities will help support continuity in ICANN's service of its mission. The public interest is served through the advance announcement of the future leadership slate, as it provides predictability and stability to the entirety of ICANN (the Community, Board and Organization) and assurance that the Board continues to focus its energies on its strategic and oversight roles.

      In identifying the future leadership, the Board included all members that will be eligible to vote on the leadership slate at ICANN 60, and followed its documented process that is available at https://www.icann.org/en/system/files/files/informing-leadership-slate-practice-10nov13-en.pdf [PDF, 44 KB]. The current Chair, Steve Crocker, will remain as Chair until the end of his term, and the current Vice-Chair, Cherine Chalaby, will remain in that role until the end of the Annual Meeting held at ICANN60. The new leadership of the Board will be subject to consideration and vote at the Organizational Meeting convened at the end of ICANN 60.

      There are no anticipated impacts on ICANN's resources as a result of this action. In addition, there is not anticipated impact on the security, stability or resiliency of the Internet's DNS.

      This is an Organization Administrative Action for which no public comment is required.

Published on 25 September 2017

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."