## page was renamed from ルートゾーンKSK/sac ルートゾーンKSK/sacについて、ここに記述してください。 https://www.icann.org/en/system/files/files/sac-063-en.pdf 6. Risks Associated with Key Rollover It is generally accepted that the DNS is a critical Internet system. The root zone is a critical component of the DNS, given its unique importance as the starting point for all resolution and as a starting point for trust in DNSSEC. A root zone KSK rollover would thus mean changing a critical component of a critical system. This section enumerates some of the risks associated with such a high impact change. The first and largest risk is that some portion of DNSSEC Validators using the root zone KSK as a TA will not, for whatever reason, properly install the new root zone KSK TA during a rollover. The result for affected Validators is failed DNSSEC validations for all DNS records except those for which a Validator has a more specific TA configured. However, it is reasonable to assume that most, if not all, validating resolvers exclusively use the root zone’s KSK as a TA. For such a Validator, an out-of-date and invalid root zone KSK remaining configured as a trust anchor means failed validation for any DNS response it attempts to authenticate. An analysis of the potential impact of this risk is discussed in Appendix A of this report. Referencing that discussion, it is estimated that as of this writing, 8.3 percent of all Internet clients use resolvers that perform DNSSEC validation using the root KSK as a TA. This represents the population of users that might be affected by errors at the root level. However, only about 87 percent of those clients are using validators that are expected to properly update their TA with some confidence, leaving the fate of 1.1 percent (i.e., 13 percent of the 8.3 percent of users using validation) of users in question with a root KSK rollover. There is also some risk of increased traffic to the root or other authoritative servers, particularly from validating resolvers that failed to update to the root TA after a rollover. The basis for this concern is the 2009 incident documented as “Roll Over and Die?”27 in which an outdated TA for a number of resolver implementations resulted in a large increase in traffic to authoritative DNS servers. Appendix A explains some small-scale testing of this scenario, showing that newer versions of some validator implementations still cause increased traffic to authoritative servers when an invalid TA is used. However, the observed increase is of a much smaller magnitude than that observed in 2009 and the root and TLD zones are not impacted at all. As discussed previously, a number of procedural and technical risks associated with the rollover process itself exist. Although the rollover process is expected to be similar to the process used for initially signing the root zone, any differences between the initial signing process and the rollover process have not as yet been operationally exercised and, thus, may introduce more risks. See: http://www.potaroo.net/ispcol/2010