Business Constituency (BC) comment on Plan for Root Zone KSK Change

[Steve DelBianco <sdelbianco@xxxxxxxxxxxxx>]

 The BC appreciates the opportunity to comment on this important implementation.

We recognize that ICANN’s security team puts much thought and energy to 
planning and executing its key-signing ceremonies.

The BC noticed that a few considerations by the security team offer the 
opportunity for greater success of its key-signing ceremonies overall, and the 
pending critical RZ KSK key rollover specifically.

#1: The current key generation algorithms are based on security technology 
considered weak by today’s standards.  We support thought and planning toward 
moving to RSA/DSA 2048 (or stronger) encryption for both the key-signing key 
(KSK) and zone-signing key (ZSK), in whatever way ensures the greatest 
opportunity for maintaining the security, stability and reliability of the 
Internet.

#2:  The BC notes the lack of any measurements during implementation – no 
metrics, no documented post-mortem.  Developing metrics, using NIST SP 800-55 
or some other implementation performance framework, will serve the current 
team, future teams, and the community.  Reporting on collected measurements 
will give visibility to successes and failures, and provide greater 
transparency overall.

The BC agrees with SSAC (SAC063: 
https://www.icann.org/en/system/files/files/sac-063-en.pdf ) that we should 
begin to tally DNSSEC misconfigurations, and determine the level of 
misconfigurations considered acceptable.  Metrics also for the Communications 
Plan will be useful for planning and improving future key-signings, encryption 
upgrades, and other maintenance having the potential to impact the Internet 
community at large.

The BC acknowledges that a data collection scheme will require great planning 
and efficiency, and likely dedicated resources to organize and execute.  The BC 
supports making efforts toward a plan for uniform collection and reporting.

#3:  The document does not address an issue that has been raised in the past by 
SSAC.  Namely, that smaller DNS operators may not be aware of the KSK change.  
This points to the need for word to be spread far and wide, sharing about the 
risk of their Internet communications being interrupted.  The BC recommends a 
communications program in advance of this change to inform ISP communities 
around the world.

#4:  Among the ICANN planning team, the BC notes that all contributors appear 
to be from Verisign, NIST, NTIA, and ICANN.  The BC encourages the Team to 
actively solicit and include qualified resources from more than just these four 
organizations

--
This comment was drafted by Angie Graves, with contributions from Stephen 
Coates and Steve DelBianco.
It was approved in accord with our charter.