A Ceremony Unlike Others
28/02/2018
This February, the meeting which usually takes place during the first half of the year at the ICANN headquarters (Los Angeles) to generate the signing keys for the Internet DNS root was quite different from previous meeting: it included the ceremony for disposing of the old system where the keys were stored for the past seven years.
Carlos Martínez and Nicolas Antoniello, two active members of the LACNIC community, were among the select group of people who witnessed this historical event. They are both part of the group of 14 persons serving as key custodians, each holding one of the keys used to protect Internet security, known as crypto-officers.
The Hardware Security Module (HSM) destroyed during the ceremony was the equipment used to generate the keys of the DNS root zone until last year, when the decision was made to change the cryptographic keys and the device was replaced by a new one, as it was reaching the end of its life, said Martínez, LACNIC CTO.
“This equipment was destroyed to make it impossible for anyone taking control of the device to eventually recover the key. Its destruction means there is no risk of information leaks,” noted Martínez, who has been working for eight years with this group of community representatives in the key generation ceremonies hosted by ICANN to generate the keys used to sign the DNS root.
The two small computers known as Hardware Security Modules (HSM) specifically designed for the sole purpose of generating and storing cryptographic material coexisted for some time with the new ones, until the older equipment was no longer used and taken into storage. After having deleted the material, the time for its destruction came during the February meeting. It was a historical event and a novel experience, as it was the first time it took place within the context of a DNS root signing ceremony.
New Key. The plan for changing the key (known as KSK) is currently undergoing a period of public consultation which will remain open until early April (see link) following ICANN’s decision to postpone the KSK rollover until October 2018.
The root was first signed in 2010 and best practices indicate that cryptographic keys should be changed periodically. The scale of the Internet means that rolling the root zone represents a significant challenge. “This rollover process is expected to conclude during 2018 based on the comments of the Internet community and managing the time line so that Internet operators will not be affected,” concluded LACNIC’s CTO.