‹ Back
Deploy360 14 August 2014

Watch Live Today – DNSSEC Root Key Ceremony #18

Dan York
By Dan YorkDirector, Online Content

IANA logoIf you are interested in understanding a bit more about how the overall DNSSEC infrastructure operates, you can watch the “Root DNSSEC KSK Ceremony 18” live today, August 14, 2014, from a data center in El Segundo, California, USA, starting at 12:15pm Pacific time, which is 19:15 UTC.  All the information and the link to the live stream can be found at:


The key ceremonies are part of the activities performed by the Internet Corporation for Assigned Names and Numbers (ICANN) under its contract to operate the Internet Assigned Numbers Authority (IANA). As explained on the overview page:

Ceremonies are usually conducted four times a year to perform operations using the Root Key Signing Key, and involving Trusted Community Representatives. In a typical ceremony, the KSK is used to sign a set of operational ZSKs that will be used for a three month period to sign the DNS root zone. Other operations that may occur during ceremonies include installing new cryptographic officers, replacing hardware, or generating or replacing a KSK.

This ceremony today is to use the “master” root Key Signing Key (KSK) to generate a set of Zone Signing Keys (ZSKs) that will then be used until the next key ceremony.

There is a complete script that outlines the overall process that is used by ICANN to perform this operation today.  In the interest of transparency there is also a live video stream that will show the entire process and that will be archived for later viewing.

Additionally, during today’s key ceremony there will be a replacement of one of the Cryptographic Officers (COs) who each hold a part of the overall master Root Key.  Ed Lewis is ending his term as a CO and is being replaced by Olafur Gudmundsson.  There is also a complete script outlining the steps of the replacement process.

The “root key” is at the top of the “global chain of trust” that is used to ensure the correct validation of DNSSEC signatures (for more info see “The Two Sides of DNSSEC“) and so it is critical that the security and integrity of this root key be maintained.  Ceremonies such as the one today are a part of that effort.  If you are interested in learning more, today is a bit of a peek behind the curtain about how all of this happens…

P.S. If you want to learn more about how to get started with DNSSEC, please visit our “Start Here” page to find resources focused on your type of role or organization.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...

Join the conversation with Internet Society members around the world