25th DNS Root Key Ceremony Thumbnail
Domain Name System (DNS) 16 May 2016

25th DNS Root Key Ceremony

By Olaf KolkmanPrincipal - Internet Technology, Policy, and Advocacy

Last week, the 25th DNS root key ceremony took place.

The context of this ceremony is that for DNS security purposes the root of the DNS is signed using a cryptographic key. The use of that key is subject to stringent access requirements and the ceremony provides the transparency that is needed for the Internet community to ultimately trust the authority and integrity of DNS data.

An in-depth explanation of the ceremony is out of scope for this post, but Ólafur Guðmundsson’s blog post gives a reasonable overview of the ceremony itself and the links in that article and our Deploy360 pages on DNSSEC should give you sufficient information if you want to deploy DNSSEC yourself.

The reason for this post is that I want to make two attestations and give a heads up.

Attestation one: I attest that Root Key Ceremony 25 took place according to the script with only one exception: the Ceremony Administration was not performed by Francisco Arias, but by Punky Duero.

Attestation two: During Act 2 of the the ceremony the Operating System DVD was replaced and the old OS DVD copies (Rev600) where discarded, conform step 11 of the script. I took one of the DVDs and using OpenSSL version 1.0.2e from OS X 10.11.4 I verified the SHA256 checksum of the disk. That checksum is exactly the same as the checksum recorded during ceremony 7 – step 12: 7da0d1c5eecb822d7bbd47b31d25e4f0f37bb8a46cfbe288d2b07b32f5e38146

There have been two disks used during the ceremonies, I only took one.

As an aside, the reason for the OS replacement is that the signer needed to be able to deal with the larger (2048 bit) zone signing keys that will be used to sign the root zone. More detail about the key-size increase can be found in this Verisign blog.

Heads up: The plans for the rollover of the root key are being developed. If you run a validating name server this may impact you. Please follow the developments around the KSK rollover project via https://www.iana.org/dnssec.

Pictures from the 25th ceremony by the author can be found on Flickr.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

10 March 2021

Internet Society Joins Leading Internet Advocates to Call on ISPs to Commit to Basic User Privacy Protections

Mozilla, the Electronic Frontier Foundation, and the Internet Society call on AT&T, T-Mobile, and Verizon to commit to limiting...

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...