Deploy360 Domain Name System Security Extensions (DNSSEC) To archive

Watch Live TODAY – DNSSEC Root KSK Ceremony 25 – 13:00 EDT – 17:00 UTC

DNSSEC badgeStarting in about 45 minutes, at 13:00 local time in Culpeper, Virginia, which is 17:00 UTC, you have the opportunity to watch the live stream of the Root KSK key-signing ceremony #25. More info can be found here:

and the direct link for watching is:

Internet Society CITO Olaf Kolkman will be among the participants as he is one of the 14 global “Crypto Officers” who has a role to play in the key signing ceremony. You can see the various roles in the KSK Ceremony 25 script, but perhaps better is to read this excellent description by Olafur Gudmundsson:

Olafur’s text, photos and graphics help explain what is going on.

If you can’t watch live but are interested in what happens, materials will be available after the fact including camera footage and more. (See the example of KSK Ceremony 24 from February 2016.)

While this may not necessarily be as exciting as a rocket launch, these public key signing ceremonies are important to ensure people understand and believe in the trustworthiness of the Root KSK that enables the overall DNSSEC global “chain of trust” to be reliable!

P.S. If you want to get started with DNSSEC yourself, please visit our Start Here page to find resources to help you!

Deploy360 Domain Name System Security Extensions (DNSSEC)

My View Of The DNSSEC Root Key Signing Ceremony

Yesterday I participated in a DNS root key signing ceremony.

Root Signing Ceremony -ParticipantsDNSSEC provides for authenticity and integrity checking of DNS messages based on public key based cryptographic technologies. When validating a DNS message a DNS resolver will use a pre-configured public key to build a chain-of-trust to the message that is to be validated. The preconfigured key belongs to the key-signing key (KSK) of the root zone which is used to sign the zone-signing keys (ZSKs), which are in turn used daily to sign the content of the root zone.

A good description of the ceremony is written by Ólafur Guðmundsson, and you might want to skim that blog post first as I will refer to it a few times below.

Root Signing Ceremony - Checking the SafesTrust in the DNS is partly based on the assumption that none of the potential adversaries have access to the root-key, Ólafur’s blog post has this nice quote:

“Each of these participants can only perform certain parts of the ceremony. Their roles are divided in a way that ensures less than a 1:1,000,000 chance that a group of conspirators could compromise the root-signing key, assuming a 5% dishonesty rate (yes, that’s formally in the specification) amongst these individuals.”

In other words, the ceremony is designed to minimize the chance that a set of conspirators that are involved in the process will collude and get access to the key. However, as well as creating a barrier to use of the key, the ceremony has an audit role.

Root Signing Ceremony - Smart CardsThere is also the requirement that the signing key must be available for emergency situations. That is why the Hardware Security Module that stores the root-signing key and the smart cards needed to activate them are stored in the same facility. In emergency situations the ICANN staff would open the credential box (see Ólafur’s blog post for what that is), use mechanical force (drills) to open the deposit boxes, rip the tamper evident bags, and use the smart cards to activate the HSM.

Obviously we would trust ICANN to be extremely transparent about the fact that they gained access, but as we all know, one has to trust and verify. An important piece of the ceremony is to provide assurance that nobody gained access to the smart cards, and it is the role of the trusted community officers to verify that the tamper-evident bag in which the key has been stored has not been tampered with and that there are no signs of forceful entry into the safe deposit box.

Root Signing Ceremony - Olaf Kolkman checking bagsThis blog post serves as testimony that I have performed that role, and in accordance with the script used during the ceremony. It is this script that documents the chain of evidence and guarantees that everything that happens within the cage is documented precisely.

So there we go: I hereby testify that the 23rd root signing ceremony has been executed according to the script, and that the two exceptions we encountered do not give me concerns. I have checked the physical integrity of the safe and the tamper evident bags and have not seen any signs of compromise.

More information about the ceremony, including recordings (which are not yet available at publication of this blog post) are available at

Editor’s Note: Olaf has also published a set of photos from this key ceremony.