In about 15 minutes, at 1:00pm US EDT, you can watch live as members of the DNS/DNSSSEC community engage in a “Key Signing Ceremony” that will result in the generation of new keys used for managing DNSSEC at the root of the Domain Name System (DNS). The live stream will be at:
The schedule, list of attendees and other information can be found at:
The ceremony begins at 1:00pm and is scheduled to end at 4:00pm US EDT. The script that is being followed during the ceremony is available at:
These documents may also be helpful in understanding what happens:
- Root Zone DNSSEC KSK Ceremonies Guide (a general guide, see the specific “key ceremony XV script” for what is happening today)
- DNSSEC Practice Statement for the Root Zone KSK Operator
- DNSSEC Practice Statement for the Root Zone ZSK Operator
Essentially what is going on is the creation and signing of new “zone-signing keys (ZSKs)” that are being signed by ICANN’s “key-signing key (KSK)” and then deployed by the ZSK operator.
As you will see if you watch, there is a very specific process that is used to ensure the integrity and security of the key signing process. It is all documented and then archived so that there is full transparency about what goes on.
If you are interested in understanding how DNSSEC works at an operational level, you may find watching today quite informative. If you are unable to watch the stream live, it will be recorded and made available from the archive link for this 15th key signing ceremony. (And as these key signing ceremonies happen quarterly, the next will be along in just a few months.)