Yesterday I participated in a DNS root key signing ceremony.
DNSSEC provides for authenticity and integrity checking of DNS messages based on public key based cryptographic technologies. When validating a DNS message a DNS resolver will use a pre-configured public key to build a chain-of-trust to the message that is to be validated. The preconfigured key belongs to the key-signing key (KSK) of the root zone which is used to sign the zone-signing keys (ZSKs), which are in turn used daily to sign the content of the root zone.
A good description of the ceremony is written by Ólafur Guðmundsson, and you might want to skim that blog post first as I will refer to it a few times below.
Trust in the DNS is partly based on the assumption that none of the potential adversaries have access to the root-key, Ólafur’s blog post has this nice quote:
“Each of these participants can only perform certain parts of the ceremony. Their roles are divided in a way that ensures less than a 1:1,000,000 chance that a group of conspirators could compromise the root-signing key, assuming a 5% dishonesty rate (yes, that’s formally in the specification) amongst these individuals.”
In other words, the ceremony is designed to minimize the chance that a set of conspirators that are involved in the process will collude and get access to the key. However, as well as creating a barrier to use of the key, the ceremony has an audit role.
There is also the requirement that the signing key must be available for emergency situations. That is why the Hardware Security Module that stores the root-signing key and the smart cards needed to activate them are stored in the same facility. In emergency situations the ICANN staff would open the credential box (see Ólafur’s blog post for what that is), use mechanical force (drills) to open the deposit boxes, rip the tamper evident bags, and use the smart cards to activate the HSM.
Obviously we would trust ICANN to be extremely transparent about the fact that they gained access, but as we all know, one has to trust and verify. An important piece of the ceremony is to provide assurance that nobody gained access to the smart cards, and it is the role of the trusted community officers to verify that the tamper-evident bag in which the key has been stored has not been tampered with and that there are no signs of forceful entry into the safe deposit box.
This blog post serves as testimony that I have performed that role, and in accordance with the script used during the ceremony. It is this script that documents the chain of evidence and guarantees that everything that happens within the cage is documented precisely.
So there we go: I hereby testify that the 23rd root signing ceremony has been executed according to the script, and that the two exceptions we encountered do not give me concerns. I have checked the physical integrity of the safe and the tamper evident bags and have not seen any signs of compromise.
More information about the ceremony, including recordings (which are not yet available at publication of this blog post) are available at https://data.iana.org/ksk-ceremony/23/
Editor’s Note: Olaf has also published a set of photos from this key ceremony.