[dns-operations] root? we don't need no stinkin' root!

[Viktor Dukhovni]

On Dec 2, 2019, at 3:09 PM, Mark Allman <mallman at icir.org> wrote:

> > For reachability, it is not enough to consider the nameserver IP
> > addresses, did you also check DS record stability?
>
> I did not.  I was more interested in understanding how much the
> infrastructure churned.  To me the crypto stuff is config that we
> can more readily hack.   And, while I didn't scrutinize your long
> list, I sort of skimmed and it seems the changes may not always keep
> for a year, but are generally more than "a few days".

Yes, the key question is how long before a new DS RR is added is
does it become the only way to authenticate the TLD in question.
And I would not be surprised to find that this is many cases a
matter of days.  So a root zone that's a day or two old is likely
generally sufficient, but much more than that, and some TLDs could
become unreachable.

Of course if the zone distribution model changes, and resolvers
are expected to have somewhat stale root zone copies, then perhaps
TLDs would have to take that into account and roll out changes more
slowly.  For example, the previous DS would have to be good for at
least ~14 days after a new one is added, and outdated TLDs KSK would
only be eligible for retirement after a 14 day overlap...

Can we reasonably expect TLD operators to live within such constraints
and not mess up too often?

-- 
    Viktor.