If you are interested in understanding a bit more about how the overall DNSSEC infrastructure operates, you can watch the “Root DNSSEC KSK Ceremony 18” live today, August 14, 2014, from a data center in El Segundo, California, USA, starting at 12:15pm Pacific time, which is 19:15 UTC. All the information and the link to the live stream can be found at:
The key ceremonies are part of the activities performed by the Internet Corporation for Assigned Names and Numbers (ICANN) under its contract to operate the Internet Assigned Numbers Authority (IANA). As explained on the overview page:
Ceremonies are usually conducted four times a year to perform operations using the Root Key Signing Key, and involving Trusted Community Representatives. In a typical ceremony, the KSK is used to sign a set of operational ZSKs that will be used for a three month period to sign the DNS root zone. Other operations that may occur during ceremonies include installing new cryptographic officers, replacing hardware, or generating or replacing a KSK.
This ceremony today is to use the “master” root Key Signing Key (KSK) to generate a set of Zone Signing Keys (ZSKs) that will then be used until the next key ceremony.
There is a complete script that outlines the overall process that is used by ICANN to perform this operation today. In the interest of transparency there is also a live video stream that will show the entire process and that will be archived for later viewing.
Additionally, during today’s key ceremony there will be a replacement of one of the Cryptographic Officers (COs) who each hold a part of the overall master Root Key. Ed Lewis is ending his term as a CO and is being replaced by Olafur Gudmundsson. There is also a complete script outlining the steps of the replacement process.
The “root key” is at the top of the “global chain of trust” that is used to ensure the correct validation of DNSSEC signatures (for more info see “The Two Sides of DNSSEC“) and so it is critical that the security and integrity of this root key be maintained. Ceremonies such as the one today are a part of that effort. If you are interested in learning more, today is a bit of a peek behind the curtain about how all of this happens…
P.S. If you want to learn more about how to get started with DNSSEC, please visit our “Start Here” page to find resources focused on your type of role or organization.