Internet Root KSK Rollover, 'Rolling the Key' for the DNS Root Oct 11

If everything goes fine, you should not notice and your systems will all work as normal. However, if your DNS resolvers are not ready to use the new key, your users may not be able to reach many websites, send email, use social media or engage in other Internet activities ... It should be a "non-event" in that it will be "just another day on the Internet" --Dan York

 The Communications Regulatory Authority (CRA) has cautioned the public against misleading information circulating on social media platforms pertaining to an alleged “two-day Internet outage across the world.” The CRA clarified that on October 11, 2018, the Internet Corporation of Assigned Names and Numbers (ICANN) will change the cryptographic key that helps protect the Domain Name System (DNS) — the Internet’s address book--gulf-times.com.

Root KSK Rollover: ICANN Board approved (with dissent), to change or "roll" the key for the DNS root on 11 Oct 2018, first time the key has ever been changed--ICANN.org.

What To Expect During the Root KSK Rollover (pdf, updated 17 Sep 2018) embed below:

More info:

• On Twitter: #Keyroll   #KSKroll   #DNSSEC 

• Root Zone KSK Rollover | ICANN.org and ksk-rollover mail list.

• Internet Intelligence Map

• Preparing for the KSK Rollover | VeriSign.com

Tweets by InternetIntel

• How to Prepare for the DNSSEC Root KSK Rollover on October 11, 2018 | circleid.com: "... 5. Plan to be around on 11 October 2018 at 16:00 UTC [12noon EDT] ..."

• What you need to know about the first-ever DNSSEC root key rollover on October 11, 2018--redhat.com.

• The Root KSK Rollover? What Does It Mean for Me?--circleid.com.

• DNSSEC Key Signing Key Rollover--us-cert.gov. See also rollready.dnsops.gov.

• Operational Notification: KSK-2010 will be retired from the root zone, potentially affecting validating resolvers--kb.isc.org/docs/aa-01529

• DNSSEC – Root Zone KSK Rollover--suse.com

• [SingCERT] Technical Advisory on DNSSEC Root Zone Key Signing Key Rollover--csa.gov.sg

The DNS Root Zone KSK rollover is happening this week!
See how ready the Internet is. https://t.co/IPMhpOwlIg#KSKroll #DNSSEC pic.twitter.com/Xp4mB1oJ1n

— APNIC (@apnic) October 8, 2018

Operational Plans for the Root KSK Rollover | ICANN.org: the current operational plans for 2018 are:

• 2018 KSK Rollover Operational Implementation Plan – Describes in detail the remaining operational steps to accomplish the root KSK rollover.
• 2018 KSK Rollover Back Out Plan – Describes anticipated deviations from the Operational Implementation Plan based on anomalies occurring while executing the operational plan.
• 2018 KSK Rollover Monitoring Plan – Describes the plan to monitor the effects of changing the trust anchor for the root zone in the traffic towards root servers.
• 2018 KSK Outreach Plan – Describes how ICANN will publicize the roll in order to have resolver operators better prepared.
• Steps of the KSK Roll Already Performed in 2017 – Describes what already took place in 2017 preparing for the KSK roll.

Tweets by ISOCtech

feedback & comments via twitter @DomainMondo
Follow @DomainMondo

DISCLAIMER

News Review: ICANN & GDPR, 'WHOIS Is Mostly DEAD' Says Paul Vixie

Domain Mondo's weekly internet domain news review (NR 2018-08-26) with analysis and opinion: Features • 1) ICANN & GDPR EPDP Meetings this week, 'WHOIS Is Mostly DEAD' Says Dr. Paul Vixie, 2) a. KSK Rollover, What to Expect, b.New gTLD .AFRICA, c. Public Comment at ICANN,  3) Names, Domains & Trademarks: a. France.com, b.China, c. Transfers, 4) ICYMI, 5) Most Read.

1) ICANN & GDPR EPDP Meetings this week, 'WHOIS Is Mostly DEAD' Says Dr. Paul Vixie

ICANN EPDP Team Meetings* this week: Tuesday Aug 28, and Thursday Aug 30, 13:00 UTC, 9am EDT. Non-members of the EPDP Team can follow the EPDP meetings via Adobe Connect: https://participate.icann.org/gnso-epdp-observers, or audio cast via browser or application (e.g., iTunes).

*Each EPDP meeting's links to documents, transcripts, MP3 audio and Adobe Connect recording, will be posted here, as made available by ICANN (links to EPDP meetings' transcripts are usually posted on the GNSO calendar within 24 hours). See also EPDP Team wiki, mail list, Temp Spec, EPDP Charter (pdf), and AC/SOs responses to request for early input.

UPDATES 29-30 Aug:
a. Editor's note: the core questions completely missing thus far in the EPDP: Specifically, WHAT registrant data does ICANN need registrars to collect from registrants, and WHY? My answer  (which I have given before): NAME of the legal entity or person registering the domain name (i.e., the "registrant"); ADDRESS of the registrant (for contacting registrant concerning the domain name); EMAIL address for contacting the registrant concerning the domain name; PHONE number for contacting the registrant concerning the domain name. Anything more (for ICANN's purposes), is redundant, unnecessary, violative of the GDPR, including data minimization requirements (see ICANN vs EPAG), and in the case of fax numbers, an even more serious cybersecurity risk. The registrar may collect billing and other data in compliance with the GDPR, but that is none of ICANN's business, and should be beyond the scope of the EPDP, Temp Spec and policy. Frankly, the faster the EPDP can reach consensus on the above, the faster they can begin addressing access & accreditation issues.

b. Special interests push U.S. Congress to override ICANN’s WHOIS policy process--internetgovernance.org 29 Aug 2018--copy of the draft legislation (pdf) embed in full below:

c. EPDP Meeting #9 (Agenda in slides embed below), Thursday, 30 August 2018, 13:00 UTC, 9am EDT:

Notes:

• Aug 30 meeting transcript (pdf). Chat transcript (pdf); Adobe Connect replay, MP3;

• High-Level Notes and Action Items are here. 
• EPDP Team DSI Appendix Cv2 (pdf); 

UPDATES 28 Aug 2018: 

• Aug 28 Adobe Connect Recording (allow video to load); MP3 audio, meeting transcript (pdf);
• Meme of the Aug 28 meeting by James Bladel (GoDaddy) (EPDP Team member) via Twitter.
• Chat Transcript (pdf) embed below; Notes & Action Items; RySG and RrSG Request GDPR Training for EPDP members and alternates.

Slides of Aug 28 EPDP Meeting #8 (includes Agenda and "Project Plan"):

Note: input received on Triage Report and  section category allocation (pdf). Aug 28 chat transcript:

UPDATE from the EPDP mail list 27 Aug 2018:

"... The basic task of ePDP is to ratify or modify the temp spec. Here is the relevant statement from the charter:

"This EPDP Team is being chartered to determine if the Temporary Specification for gTLD Registration Data should become an ICANN Consensus Policy, as is or with modifications, while complying with the GDPR and other relevant privacy and data protection law." 

"Regarding access, the charter says, 'Work on this topic shall begin once the gating questions above have been answered and finalized in preparation for the Temporary Specification initial report'

"So: 1) temp spec first; 2) "other relevant privacy and data protection law" is applicable, not just GDPR; 3) we deal with access to redacted Whois data after we have resolved the status of the temp spec."--Professor Milton Mueller (NCSG)

Editor's note: For info and updates on last week's meetings, go to last week's News Review, here's a peek:

Little of substance has been accomplished thus far, as the EPDP Team has essentially wasted the month of August preparing a "Triage Report" for the GNSO Council that could have been completed in the first week with a simple survey, or even better, eliminated from the Charter altogether. EPDP Team Chair Kurt Pritz continues with his long, rambling monologues, mostly ignoring suggestions and comments from the more functional, and definitely brighter, EPDP team members. A face-to-face EPDP meeting has been scheduled for September 24-26 in Los Angeles, but at this rate, it's looking increasingly doubtful whether much will get done.

I've yet to see a cogent work plan that first addresses the fundamental questions which ICANN org glossed over or failed to grapple with BEFORE slapping together the Temporary Specification in a rush due to the incompetent ICANN management team wasting 2 years and failing to properly prepare for the GDPR, which became enforceable May 25, 2018 (ICANN management, as late as April, 2018, were laboring under a delusional fantasy that ICANN and its contracted parties would be granted a moratorium from GDPR enforcement.)

The EU GDPR was adopted on 27 April 2016 and published in the EU Official Journal on 4 May 2016. ICANN has had an office in Brussels for more than 10 years (pdf) and European Data Protection authorities have been warning ICANN about its public WHOIS data since 2003, and yet, neither ICANN nor the U.S. government's NTIA warned the "global multistakeholder community" about the ramifications of GDPR for ICANN and its public WHOIS directory, before the IANA transition was completed October 1, 2016. Neither the dysfunctional "ICANN Community" nor their expensive law firms, which received $15 million in legal fees preparing for the IANA transition, ever mentioned the GDPR as a "risk factor" or otherwise.

Definition: "train wreck" (noun) a chaotic or disastrous situation that holds a peculiar fascination for observers.

Dr. Paul Vixie of FarSightSecurity.com on the Uncertain Fate of WHOIS, & Other Matters of Internet Accountability at Black Hat 2018 USA, "WHOIS is mostly DEAD" (video below): Dr. Paul Vixie discusses the uncertain fate of WHOIS in the age of GDPR, the risks of domain name homographs, and other underpinnings of the internet that are hard to trust and harder to fix. Video provided by, and also available at darkreading.com if the above does not play in your browser, recorded at Black Hat 2018 USA.

Note also:

• ccNSO declines to participate in EPDP (pdf)

• Government of India's views (pdf) on ICANN's Unified Access Model (pdf) ("overly complex") and EPDP.

• ICANN Board reaffirmed Temporary Specification for an additional 90-day period on Aug 21.

• ICYMI: Internet overseer continues wall-punching legal campaign ICANN appeals its appeal and tells German courts yet again that they're wrong | theregister.co.uk: "... At some point, however, failed legal argument after failed legal argument starts to point to something much more concerning: that the organization [ICANN] in charge of overseeing the internet's naming and numbering systems is not capable of doing its job."--former ICANN staffer Kieren McCarthy.

• ICYMI: ICANN's ePDP - An Insider's Perspective | circleid.com: "... There really is no clear path forward if this group is unable to produce a final report with specific policy to replace the temporary specification when it expires in May of 2019. If that were to happen, it's not a stretch to think it would call into question the overall ability of ICANN (and the community) to manage the global DNS ..."--EPDP Team member Matt Serlin.

2) Other ICANN News

a. Internet Root KSK Rollover 11 October 2018, What To Expect

 What to Expect During the Root SKS Rollover (pdf)

"... the user will start seeing failure sometime in the 48 hours after the rollover. Users will see different symptoms of failure depending on what program they are running and how that program reacts to failed DNS lookups. In browsers, it is likely that a web page will become unavailable ... In email programs, the user might not be able to get new mail, or parts of message bodies may show errors. The failures will cascade until no program is able to show new information from the Internet. Note that the term “users” here does not just indicate humans. Automated systems that are also using unprepared resolvers for their DNS resolution will start to fail, possibly catastrophically."--What To Expect During the Root KSK Rollover, supra, p. 5, (emphasis added).

Root KSK Rollover--SSAC: Let's 'Roll the Dice' on Crashing the Internet!--SAC102: SSAC Comment on the Updated Plan for Continuing the Root KSK Rollover English [PDF] excerpt from the dissenters*:

"The decision to proceed with the keyroll is a complex tradeoff of technical and non-technical risks. While there is risk in proceeding with the currently planned roll, we understand that there is also risk in further delay, including loss of confidence in DNSSEC operational planning, potential for more at-risk users as more DNSSEC validation is deployed, etc. While evaluating these risks, the consensus within the SSAC is that proceeding is preferable to delay. We personally evaluate the tradeoffs differently, and we believe that the risks of rolling in accordance with the current schedule are larger than the risks of postponing and focusing heavily on additional research and outreach, and in particular leveraging newly developed techniques that provide better signal and fidelity into potentially impacted parties. We would like to reiterate that we understand our colleagues' position, but evaluate the risks and associated mitigation prospects differently. We believe that the ultimate decision lies with the ICANN Board, and do not envy them with this decision ..."--SAC102 Dissent, p.4

*Dissenters:

• Danny McPherson (Chief Security Officer for Verisign); 
• Warren Kumari (Senior Network Engineer/Senior Network Security Engineer with Google);
• KC Claffy (founder and director of the Center for Applied Internet Data Analysis (CAIDA), based at the University of California's San Diego Supercomputer Center, and Adjunct Professor in the Computer Science and Engineering Department at UCSD); 
• Jay Daley (techobscura.com, interim President & CEO PIR.org );
• Lyman Chapin (co-founder and partner at Interisle Consulting Group).

b. DotConnectAfrica Trust v. ICANN (Trial Court Proceeding) 1 August 2018 

Court Order: Trial date vacated; Status Conference scheduled for 25 September 2018. 

c. ICANN Public Comment Periods closing in September (on each date indicated at 23:59 UTC) subject to change by ICANN:

• Proposals for Devanagari, Gurmukhi, and Gujarati Scripts' Root Zone Label Generation Rules 10 Sep 2018
• Draft ICANN Africa Strategic Plan 2016-2020 Version 3.0 10 Sep 2018
• Study on Technical Use of Root Zone Label Generation Rules 11 Sep 2018
• Recommendations for Managing IDN Variant Top-Level Domains 17 Sep 2018
• Proposals for Kannada, Oriya and Telugu Scripts' Root ZoneLabel Generation Rules 20 Sep 2018
• Modification of Domains Protected Marks List Service 24 Sep 2018
• Initial Report on the New gTLD Subsequent Procedures Policy Development Process (Overarching Issues & Work Tracks 1-4) 26 Sep 2018

d. ICANN Global Domains Division (GDD) General Operations Handbook for Registrars 21 Aug 2018: registrar-handbook-21aug18-en.pdf [421 KB], and Registrar Billing Frequently Asked Questions (FAQ) 21 Aug 2018 registrar-billing-faq-21aug18-en.pdf [323 KB].

3) Names, Domains & Trademarks

a. France.com: Miami Man Sues France For Seizing His Domain Name--Marketplace.org podcast (MP3) also available here. Includes commentary by University of Miami Law Professor Michael Froomkin.

b. China's first internet court handles over 10,000 cases | xinhuanet.com: mainly civil cases such as contract disputes involving online shopping, service and small loans, copyright and infringement lawsuits, domain name disputes, internet defamation, and some administrative lawsuits.

c. Post GDPR gTLD Domain Name Transfers--realtimeregister.com.

4) ICYMI Internet Domain News 

a. US: 

• Google refused a warrant issued by a U.S. District Court Judge to release huge amounts of data. "Will other companies bow under pressure?"--WashingtonPost.com: “Where big data policing and data trails are available it becomes tempting, and maybe too tempting, to take shortcuts with process that should be used as a last resort,” Andrew Ferguson, a criminal law attorney and author of "The Rise of Big Data Policing: Surveillance, Race, and the Future of Law Enforcement."

• Congress should consider small-business exception to internet sales tax--TheHill.com.

b. China: 

• From laboratory in far west, China's surveillance state spreads quietly--reuters.com.

• Google is welcome to return to China—but only if it complies with the censorship regime enforced by the government of China’s internet regulator, according to a report in Chinese state media (the People's Daily)--Newsweek.com.

c. Russian hackers targeted U.S. conservative think-tanks, says Microsoft--reuters.com.

d. AI: New genre of artificial intelligence programs take computer hacking to another level | trust.org.

e. India: India Steps Towards Internet Freedom: DoT Bars ISPs From Blocking Internet Content | inc42.com.

5) The Most Read Post this past week on DomainMondo.com: 

#1 News Review: 1) ICANN EPDP & GDPR, 2) ICANN vs EPAG (Again)

-- John Poole, Editor, Domain Mondo 

feedback & comments via twitter @DomainMondo
Follow @DomainMondo

DISCLAIMER

News Review | ICANN Is Unfit, The IANA Transition Should Be Unwound

Domain Mondo's weekly internet domain news review (NR 2018-07-22) with analysis and opinion: Features •  1) Comment to NTIA: ICANN Is Unfit, The IANA Transition Should Be Unwound, 2) ICANN news: a. ICANN vs EPAG - ICANN Loses Again, b. WHOIS & GDPR: Expedited Policy Development Process (EPDP) Team, and more, 3) Names, Domains & Trademarks: a. The Power of TLD .COM,  b. Verisign Q2 2018 earnings, and more, 4) ICYMI, 5) Most Read.

UPDATE--Should the IANA Transition Be Unwound? Read all comments submitted to NTIA here.

Original Post:
1) Comment to NTIA: ICANN Is Unfit, The IANA Transition Should Be Unwound

"ICANN is incompetent, corrupt, and unfit for the role it was given by the U.S. government in 1998 ... The IANA transition was a mistake and a fraud upon the American people and the global internet community."

Full comment with all attachments (pdf 2MB) (57 pages), also at NTIA here (pdf).

See also George Kirikos's comment here (pdf).

2) ICANN News

a. ICANN v. EPAG Domainservices, GmbH

ICANN and its IP Constituency (trademark lawyers) lost Round 2 in ICANN's legal action (request for an injunction) against EPAG Domainservices, GmbH, an affiliate of Tucows, the world's second largest domain name registrar, filed in the Regional Court of Bonn, Germany. The case is now headed to the Higher Regional Court of Cologne as the court of appeal, which could refer the matter to the European Court of Justice. For more read the updates at last week's News Review.

b. WHOIS & GDPR: Expedited Policy Development Process (EPDP) Team 

As noted in the  updates to last week's News Review, the GNSO Council approved the Expedited Policy Development Process (EPDP) Initiation Request (pdf) and Charter (pdf) at its meeting Thursday, July 19, 2018.  It is expected that the EPDP Team, chaired by Kurt Pritz, will hold its first meeting during the week of 30 July 2018. The three dissents: Ayden Fedérline (pdf), Tatiana Tropina (pdf) and Stephanie Perrin (pdf):

"Yes, and I think that Tatiana and Ayden have eloquently expressed many of my reasons. There is one issue that I would like to add to those and that is that it is plainly evident from the way that we have approached this question and the EPDP that we've not yet, as ICANN, and as the GNSO addressing the problem of GDPR, some of us don't think it’s a problem, some of us think it’s an improvement, but at any rate we have not addressed the issue with the benefit of the advice that we have received from the data commissioners, in other words, with the perspective of data protection law. And I feel that it’s long overdue to address these concerns. I don't wish to delay the progress; we have to get busy. I have a remedy and I will try and bring remedy throughout the work on the EPDP. We have a volunteer from the Council of Europe to assist us in legal interpretation, that would be Peter Kimpian, a data protection lawyer from the Hungarian Data Protection Office who has worked extensively with the Council of Europe on GDPR and on Convention 108 and the revised Convention 108. They have offered to assign him to us. I would recommend that the Council accept that offer because at the moment we have a – we have a charter that is not framed the way it should be in terms of data protection analysis and we need to remedy this. And I share with both Ayden and Tatiana the concerns that we have many members that are turning this into a cross community working group but none of them who could, are bringing a data protection expertise to the table. Thank you."--Stephanie Perrin (emphasis added).

Also note ICANN at a Crossroads: GDPR and Human Rights | circleid.com by Raphaël Beauregard-Lacroix:

"... In a 17 May letter, European commissioners asked ICANN, through its CEO, to "show leadership and demonstrate that the multi-stakeholder model actually delivers." Be it taunting or encouraging, this challenge underscores the current need for intentional, proactive leadership from both the ICANN organisation and its community ..."

See also:

• Launch of the EPDP on the Temporary Specification for gTLD Registration Data | ICANN.org (mailing list observers sign-up form). 

• EPDP Team wiki and mailing list;
• EPDP Team meetings recordings, transcripts,  scheduled conference calls on the GNSO Master Calendar; non-members can listen via audio cast.

• GNSO Active Projects List and Minutes June 27 GNSO Council meeting

c. Approved Board Resolutions | Special Meeting of the ICANN Board 18 Jul 2018--ICANN.org: Big Fat Pay Increases for ICANN's Incompetent Management Team, Extension of CEO's contract to run through through May 2022, Reconsideration requests of dotgay, Dot Music, and more at link above.

d. Famous Last Words--"ICANN org has increased confidence that the root KSK rollover planned for 11 October 2018 will have the potential to affect only a tiny fraction of DNS users"--ICANN.org 18 July 2018.

e. ICANN Board Approves Dysfunctional Implementation of At-Large Review over objections from members of the ICANN community--ICANN Board Minutes | ICANN.org 23 June 2018 meeting. The objections included comments from the Registrar Stakeholder Group,  Registries Stakeholder Group "... Structures that are intended to support user engagement in ICANN may, in fact, hinder direct user participation and discourage new voices from engaging with ICANN policy development processes ... Fifty percent of At-Large respondents and seventy-five percent of non-At-Large respondents believed that At Large Structures are not truly representative of global end user opinion ... These findings point to fundamental problems with At-Large representation" and NCSG--"... At-Large has been dominated by a few people for too long ... It is not focused enough on holding ICANN (via the Board) accountable and empowering individual Internet users ..." [Editor's note: any wonder why the ICANN Board brushed aside these valid objections? ICANN: unfit, incompetent, corrupt.]

f. CCWG-Accountability WS2 have distributed their final report for consideration to the ICANN Chartering Organizations. on The Final Report includes a summary of work completed by WS2 and a listing of recommendations, here and here (with annexes). The Chartering Organizations have been asked to complete their approval of the Final Report by the conclusion of ICANN63 October 20-25, 2018. If approved, it will then be sent to the ICANN Board for approval and implementation.

g. Methodology Review of the Domain Abuse Activity Reporting (DAAR) System | ICANN.org.

h.  Better Late Than Never--Name Collision Analysis Project (NCAP)--report-comments-ncap-project-plan-13jul18-en.pdf (pdf) excerpt: "The ALAC urges the SSAC to proceed with the Name Collision Analysis Project (NCAP) Work Party's project plan and allocate enough time to do it right. We believe it is important to minimize the unintended consequences for end users. Name Collision occurs when a user, attempting to reach a private domain name, unintentionally reaches a public domain name and, as such, cut to the core of end user trust of the internet and could pose potential security issues."

i. ICANN Naming Services portal User Guide for Registries 19 Jul 2018: nsp-user-guide-19jul18-en.pdf [637 KB]

3) Names, Domains & Trademarks

a.  The Power of Top Level Domain .COM: After years of complaints from rival search engine DuckDuckGo, Google has relented--Google obtained domain name duck.com when it bought video compression startup On2 (on2.com) in 2010, and redirected duck.com to google.com, but now Google is redirecting the domain name duck.com to on2.com, a page with links to duckduckgo.com, ducks.com which redirects to basspro.com (Bass Pro Shops), and to an article on Wikipedia.org about ducks. On Friday, DuckDuckGo CEO & Founder Gabriel Weinberg tweeted "Thank you! That will clear up the consumer confusion. Would you please consider selling the domain to us?"

b. Verisign (NASDAQ: VRSN) Q2 2018 earnings webcast July 26, 4:30pm EDT.

$VRSN

c. ICANN's New gTLD IDNs: Cyrillic Characters Are Favorites for IDN Homograph Attacks--bleepingcomputer.com.

d. Next steps for brand protection in a post-GDPR world: trademark takeaways from ICANN 62 | worldtrademarkreview.com.

4) ICYMI Internet Domain News 

• India: Bordering on Absurd: Rajasthan’s Obsession with Internet Shutdowns--thequint.com.

• Africa’s Attack on Internet Freedom--foreignpolicy.com.

• EU: A Key Victory Against European Copyright Filters and Link Taxes - But What's Next? | EFF.org.

• U.S. to help organizations interested in programs supporting Internet Freedom--devdiscourse.com.
• ITU and Global Cyber Alliance join forces to help countries prepare for and respond to cyber-threats: "Secured cyberspace vital for the development of the digital economy"--itu.int

5) Most Read Posts this past week on DomainMondo.com: 

1. News Review | ICANN GNSO Struggles to Draft EPDP Charter re GDPR

2. IBM $IBM Q2 2018 Earnings LIVE Webcast, July 18, 5pm EDT

3. Caterpillar Marine Green Technology for Ocean Vessels & Watercraft (video)

4. Microsoft $MSFT Quarterly Earnings & LIVE Webcast, July 19, 5:30pm EDT

5. Netflix $NFLX Q2 2018 Earnings Interview July 16, 6pm EDT

-- John Poole, Editor, Domain Mondo 

feedback & comments via twitter @DomainMondo
Follow @DomainMondo

DISCLAIMER