Category: Root KSK

Watch Live TODAY – DNSSEC Root KSK Ceremony 25 – 13:00 EDT – 17:00 UTC

DNSSEC badgeStarting in about 45 minutes, at 13:00 local time in Culpeper, Virginia, which is 17:00 UTC, you have the opportunity to watch the live stream of the Root KSK key-signing ceremony #25. More info can be found here:

and the direct link for watching is:

Internet Society CITO Olaf Kolkman will be among the participants as he is one of the 14 global “Crypto Officers” who has a role to play in the key signing ceremony. You can see the various roles in the KSK Ceremony 25 script, but perhaps better is to read this excellent description by Olafur Gudmundsson:

Olafur’s text, photos and graphics help explain what is going on.

If you can’t watch live but are interested in what happens, materials will be available after the fact including camera footage and more. (See the example of KSK Ceremony 24 from February 2016.)

While this may not necessarily be as exciting as a rocket launch, these public key signing ceremonies are important to ensure people understand and believe in the trustworthiness of the Root KSK that enables the overall DNSSEC global “chain of trust” to be reliable!

P.S. If you want to get started with DNSSEC yourself, please visit our Start Here page to find resources to help you!

5 Hours Left To Submit Comments on ICANN Design Team Review of Plan for DNS Root Zone KSK Change

ICANN.jpgDo you have any comments on the findings of the ICANN Design Team regarding the changing of the root zone key-signing key (KSK) for DNSSEC?  If so, you have about five hours left to submit your comments as the comment period ends at 23:59 UTC today, 5 October 2015. You can read the Design Team report and submit your own comments at:

https://www.icann.org/public-comments/root-ksk-2015-08-06-en

The comment period has been open since August 6, 2015, and the word has been distributed through multiple online mailing lists and other forums in the time since.  To date there have only been a few comments, although I’m seeing several (including my own) coming in today:

http://forum.icann.org/lists/comments-root-ksk-06aug15/index.html

You may recall that ICANN announced the members of this design team back in February 2015 and this was after a comprehensive public comment period back in 2013.  Here are some links that can provide some context:

As you will see in my own response, I am generally pleased with the findings of the Design Team but have a few points I wish to add.

NOW IS THE TIME TO SUBMIT YOUR COMMENTS… you have about five hours left!

P.S. And if you just want to learn what DNSSEC is all about, please visit our Start Here page to learn more!

IANA DNSSEC Root Key Ceremony 21 Streaming Live Today

If you’re interested in the security at the root of DNSSEC, you can watch the IANA DNSSEC Root KSK Ceremony streaming live today – happening right now, in fact – from a data center in Culpeper, Virginia.  Just go to:

https://icann.adobeconnect.com/kskceremony

where you can connect to ICANN’s Adobe Connect streaming service.  There you can watch as the participants work their way through the 56-page script for today’s key ceremony.

KSK ceremonyThe key ceremony today began at 1:00pm US EDT (17:00 UTC) and will end at 5:00pm EDT (21:00 UTC).

The key ceremonies are part of the activities performed by the Internet Corporation for Assigned Names and Numbers (ICANN) under its contract to operate the Internet Assigned Numbers Authority (IANA). As explained on the overview page:

Ceremonies are usually conducted four times a year to perform operations using the Root Key Signing Key, and involving Trusted Community Representatives. In a typical ceremony, the KSK is used to sign a set of operational ZSKs that will be used for a three month period to sign the DNS root zone. Other operations that may occur during ceremonies include installing new cryptographic officers, replacing hardware, or generating or replacing a KSK.

This ceremony today is to use the “master” root Key Signing Key (KSK) to generate a set of Zone Signing Keys (ZSKs) that will then be used until the next key ceremony.  The “root key” is at the top of the “global chain of trust” that is used to ensure the correct validation of DNSSEC signatures (for more info see “The Two Sides of DNSSEC“) and so it is critical that the security and integrity of this root key be maintained.  Ceremonies such as the one today are a part of that effort.  If you are interested in learning more, today is a bit of a peek behind the curtain about how all of this happens.

This ceremony will be a bit different from other ones in that they will actually be replacing the Hardware Security Modules (HSMs) that are used to store the actual private key of the Root KSK.  This process was explained in detail in a March 2015 blog post: ICANN Announces 2015 Hardware Security Module Replacement Project for the Root Key Signing Key.  For those curious, the HSM replacement process starts on page 19 of today’s ceremony script.

Now, granted, occasionally watching people enter commands into a Linux command prompt may not necessarily be as exciting as watching rockets launch…

KSK ceremony command line

… but it’s still rather cool that we get to watch the whole process unfold remotely!

And… it’s much more than the command-line operations… you are also getting to see some of the people who hold parts of the keys at the root of DNSSEC do their parts in the actual ceremony.  Some of them you may recognize from when we’ve written about them or from some of the articles they written or presentations they’ve made.

KSK ceremony

You also get to see some of the steps of the process up close:

KSK_Ceremony

If you can’t watch it live, it is being recorded and you can always go back and view it.

P.S. If you want to learn more about how to get started with DNSSEC, please visit our “Start Here” page to find resources focused on your type of role or organization.

 

Watch Live Today – DNSSEC Root KSK Ceremony 20 at 12:15 PST / 20:15 UTC

IANA logoStreaming live today from El Segundo, CA, will be the 20th “key ceremony” related to the Key Signing Key (KSK) for the Root zone of DNSSEC.  The page containing all the relevant links is at:

https://www.iana.org/dnssec/ceremonies/20

The ceremony starts at 12:15pm US Pacific Standard Time (20:15 UTC) and will conclude at 5:00 pm PST (01:00+1day UTC).  If you are interested in understanding more about the security of the overall DNSSEC system, the ceremony shows the process and care taken to administer the DNSSEC keys of the root of DNS.

The key ceremonies are part of the activities performed by the Internet Corporation for Assigned Names and Numbers (ICANN) under its contract to operate the Internet Assigned Numbers Authority (IANA). As explained on the overview page:

Ceremonies are usually conducted four times a year to perform operations using the Root Key Signing Key, and involving Trusted Community Representatives. In a typical ceremony, the KSK is used to sign a set of operational ZSKs that will be used for a three month period to sign the DNS root zone. Other operations that may occur during ceremonies include installing new cryptographic officers, replacing hardware, or generating or replacing a KSK.

This ceremony today is to use the “master” root Key Signing Key (KSK) to generate a set of Zone Signing Keys (ZSKs) that will then be used until the next key ceremony.

There is a lengthy script that outlines the process that will be used today:

http://data.iana.org/ksk-ceremony/20/KC20_Scripts.pdf

The process is open via the live video stream for all to see. The video recording will also be archived for later viewing.

P.S. If you want to learn more about how to get started with DNSSEC, please visit our “Start Here” page to find resources focused on your type of role or organization.

ICANN Seeking Volunteers For DNSSEC Root KSK Rollover Plan Design Team

ICANN.jpgDo you want to help ICANN plan the best was to roll the root key used for DNSSEC?  Are you interested in being considered as a volunteer member of ICANN’s Root KSK Rollover Plan Design Team?  Recently ICANN staff sent a message to the public dnssec-coord mailing list and other various mailing lists asking for volunteers.  The “Solicitation of Statement of Internet for Membership in the Root Zone Key Signing Key Rollover Plan Design Team” (say that 10 times fast!) begins:

ICANN, as the IANA functions operator, in cooperation with Verisign as the Root Zone Maintainer and the National Telecommunications Information Administration (NTIA) as the Root Zone Administrator, together known as the Root Zone Management (RZM) partners, seek to develop a plan for rolling the root zone keysigning key (KSK). The KSK is used to sign the root zone zone-signing key (ZSK), which in turn is used to DNSSEC-sign the Internet’s root zone. The Root Zone Partners are soliciting five to seven volunteers from the community to participate in a Design Team to develop the Root Zone KSK Rollover Plan (“The Plan”). These volunteers along with the RZM partners will form the Design Team to develop The Plan.

The document goes on to list the requirements and the process.  Essentially, if you meet the requirements you need to send a message with the requested information to ksk-rollover-soi@icann.org by the end of the day on Friday, January 16, 2015.  The Root Zone Management partners will then choose from among the applicants to form the Design Team.

We’ve written here before about how incredibly important it is to get the Root KSK Rollover right, and so we commend ICANN for going through this process to create an appropriate Design Team.  We would encourage people with operational knowledge of DNSSEC and DNS in general to definitely read over the document and consider applying!

P.S. And if you don’t know about DNSSEC, or want more information, please visit our Start Here page to find out how to begin!

Root DNSSEC KSK Rollover Workshop Streaming Live Today From ICANN 51

ICANN 51 Los Angeles

Today (Oct 16, 2014) from 9:00 am to 12 noon US Pacific, a special public workshop about implications of a “rollover” of the “Root Key Signing Key (KSK)” that serves as the ultimate “trust anchor” for DNSSEC will be streamed live from ICANN 51 in Los Angeles. Information about how to participate remotely can be found at:

http://la51.icann.org/en/schedule/thu-dnssec-key-rollover

(Note: the times on that page have not yet been updated.  The workshop will be from 09:00-12:00, although it may extend later if discussions continue.  It will definitely conclude by no later than 13;30 PDT.)

ICANN Chief Technology Officer (CTO) David Conrad has organized this public discussion about issues related to changing the Root KSK.  This will be a chance to publicly discuss what we collectively see as potential issues when the Root KSK is rolled or changed and what we need to do about those issues.  This is a critically important topic and so it is great to see ICANN holding this session.

The public workshop is aimed to be a discussion forum to collect guidance from a wide range of people.  An adhoc program committee was established of Joe Abley, Duane Wessels, Roy Arends, Jakob Schlyter, David Conrad and myself.  I was asked to act as a moderator to ensure that the flow moves appropriately and that all get to contribute.  The proposed agenda is:

1. INTRODUCTION

A brief level setting of why the workshop has been called, where we are at in the process (ICANN public consultation in early 2013, SSAC report, ICANN Board resolution in Nov 2013), and what we hope to do in the workshop.  (See my recent “Background Information” post for links for more info.)

2. HOW a Root KSK Rollover might occur

We would like to discuss how an automated (RFC5011) would occur as well as non-5011 roll options and options for a staggered roll.  Joe Abley will discuss a couple of relevant Internet Drafts.

3. WHAT a Root KSK Rollover might involve

We would like to discuss what changes might be made during a Root KSK Rollover. Specifically two points:

  a. ALGORITHM CHANGE – Geoff Huston will give a presentation about potential impacts of a change of the algorithm. (Geoff also presented this information about the DNS-OARC meeting this past weekend.)

  b. Length of KSK – There has been some discussion about changing the length of ZSKs and KSKs and moving to longer key sizes.  We would like a discussion around this idea and the potential impacts.

4. IMPLICATIONS

Discussion of additional implications beyond those discussed earlier.  For instance, issues around response sizes.

5. POTENTIAL TIMELINE (unanchored)

We would like to discuss what a potential timeline might look like for the entire process.  The intent is NOT to establish a fixed date but rather to establish what a timeline might look like for the full process to take place.

6. NEXT STEPS

We want to spend the end of the session identifying specific steps and actions that will occur coming out of this workshop.

If you are interested in this topic, you can join ICANN’s “ksk-rollover” mailing list and read the archives.

And if you want to get started NOW with deploying DNSSEC, why not visit our Start Here page to find resources tailored for your type of organization?