LACNIC Blog
> DNS > A Theatrical Plot and a Secret Key: The Remarkable Experience of the DNS Root Zone Signing Ceremony
A Theatrical Plot and a Secret Key: The Remarkable Experience of the DNS Root Zone Signing Ceremony
21/04/2023
By Carlos Martinez Cagnazzo, LACNIC CTO
So much mystery has been generated around the DNS root zone signing ceremony that it has already become an Internet myth. So much so that even fiction and documentaries have used the screen to try to bring some clarity to the well-earned halo of enigma that envelopes the ceremony.
Four times a year, the Internet Corporation for Assigned Names and Numbers (ICANN) brings together experts from around the world to conduct a “key signing ceremony,” a critical operational event that is essential to Domain Name System (DNS) security. As part of the ceremony, cryptographic keys are used to protect the DNS root zone. A secure environment is created for the duration of the process in which the root zone key signing key (KSK) can be used to sign zone keys with which a little more than three months’ worth of cryptographic signatures are generated. These signatures will be used to sign the root zone every time a new signing is necessary.
The procedure is designed to allow a diverse and global group of security experts from the community to meet once a year at the same location to witness the proper and secure use of the KSK. I am one of them, which is why, when somebody refers to me as one of the “Internet’s notaries” or the owner of one of the “keys to the Internet,” I can’t help but smile. The truth, however, is that being part of these ceremonies is an experience that borders on the theatrical, a narrative out of a spy movie, and most interestingly, a very physical and material process to certify the health and safety of digital life.
Why? Basically because the DNS root zone contains information that is vital when querying top-level domain name servers (TLDs) such as .com, .org, .edu, .ar or .br. This process allows all users to access the domain names under any TLD, so the reliability and security of the environment is key. The DNS root zone does not have a top-level zone, so what can be done to guarantee the integrity and authenticity of the DNS root zone information? The answer to this question is the root zone key signing ceremony.
Let’s not forget that DNS is one of the oldest Internet protocols, with its earliest versions dating back to the early 80’s. This protocol was created in another era, one where there was not much emphasis on security and trust. When the Internet reached commercial level, those trusted environments essentially disappeared. However, it was only about 25 years later that the system’s security was brought to the table and, after several proposals, consensus was reached that it was best to implement DNS Security Extensions (DNSSEC), a process that incorporates an additional layer of security to the DNS protocol and allows checking the integrity and authenticity of the data.
Security, the Heart of the Ceremony
(Free access, no subscription required)
DNSSEC provides the framework for the entire ceremony. As I already mentioned, signatures are implemented through pairs of cryptographic keys that have two parts: one public, one secret. Both the signing process and the encryption process involve the joint and coordinated use of these two parts. In the case of private keys, the Key Signing Key (KSK) is used to sign the set of Zone Signing Keys (ZSK). This strengthens trust in the domain name system, as ZSKs are used each time a new signing is necessary.
Each year, four ceremonies are held where approximately four months’ worth of ZSKs are generated, actually many more. In fact, this “surplus” came in very handy during the pandemic, as one of the ceremonies could not be held due to the isolation rules that were implemented. The virtual ceremonies that took place during that time are an anecdote deserving of a chapter of their own: while in full lockdown, I received a FedEx envelope in which I had to place my key and take it to the post office. The envelope also contained a sheet of paper with numbers that I had to validate within the framework of a ceremony that took place via Zoom.
But back to the in-person ceremonies, the root zone key signing key is held at two geographically distinct locations: El Segundo, California (USA) and Culpeper, Virginia (USA). There are only 14 cryptographic officers available worldwide (seven for each location), and at least three of them must attend the ceremony to achieve quorum.
DNSSEC provides the framework for the entire ceremony. As I already mentioned, signatures are implemented through pairs of cryptographic keys that have two parts: one public, one secret. Both the signing process and the encryption process involve the joint and coordinated use of these two parts. In the case of private keys, the Key Signing Key (KSK) is used to sign the set of Zone Signing Keys (ZSK). This strengthens trust in the domain name system, as ZSKs are used each time a new signing is necessary.
Each year, four ceremonies are held where approximately four months’ worth of ZSKs are generated, actually many more. In fact, this “surplus” came in very handy during the pandemic, as one of the ceremonies could not be held due to the isolation rules that were implemented. The virtual ceremonies that took place during that time are an anecdote deserving of a chapter of their own: while in full lockdown, I received a FedEx envelope in which I had to place my key and take it to the post office. The envelope also contained a sheet of paper with numbers that I had to validate within the framework of a ceremony that took place via Zoom.
But back to the in-person ceremonies, the root zone key signing key is held at two geographically distinct locations: El Segundo, California (USA) and Culpeper, Virginia (USA). There are only 14 cryptographic officers available worldwide (seven for each location), and at least three of them must attend the ceremony to achieve quorum.
During the ceremony, the various organizations with a role in Internet governance come into play. The central role is clearly played by ICANN, as this organization has been responsible for the administration of the DNS root zone since 2016. In turn, ICANN delegated the secure management of the KSK to the Internet Assigned Numbers Authority (IANA). The other key player in the process is Verisign, the company currently responsible for the maintenance and operation of the DNS root zone. Verisign generates the root zone signing key that is signed during the ceremony.
The main goal of the ceremony is to provide transparency to the entire process. Thus, in addition to the IANA and Verisign representatives who manage the ceremony, cryptographic officers and individuals in other roles such as internal witnesses, auditors, and security controllers for hardware and credentials also participate in the process.
A Scripted Step-By-Step Process in Search of the Greatest Transparency
This cryptographic process involves specific hardware such as the Hardware Security Module (HSM). The HSM is a physical device specifically designed to work with sensitive cryptographic material. The key is generated within and never leaves the HSM.
Everything is highly monitored, scripted, and audited to avoid security risks in the process. In the room where the ceremony takes place, a secure vault room, there are two safes: one for the HSM and the private portion of the KSK, the other for the smart cards that activate the HSM. For this to work, an operator must activate the HSM — this is where the community steps in. We, the operators, are community representatives and witness the activation of the HSM, which cannot work without us. This is what guarantees that the community monitors the operations performed on the root.
The so-called “key to the Internet” in my possession opens a safe that holds the smart card I have been assigned and which allows me and each member of the community to act on the HSM. This is a “division of secrets” similar to that typically used by the military and spies: I have the key to open the box where my card is kept, but I don’t know the combination of the safe where the box is kept, while the person who knows this combination cannot open the boxes. Each of us has a role and a single person would not be able to do anything.
According to the script, the ceremony is divided into several parts in which the role of each participant is carefully defined. Participants complete a series of steps and verifications to cryptographically sign the pairs of digital keys used to protect the DNS root zone. Broadly speaking, these steps involve going to the safe and retrieving the smart cards and going to the safe and retrieving the HSM. Verisign then delivers a file (known as the KSR or Key Signing Request) to the IANA administrator, who performs the operations on the HSM. Our role is to use our cards to validate the operation of the HSM. At the end of the process, the ZSKs are published in the DNS root zone and each part returns to its safe place.
It should be noted that the root zone key signing ceremony is public, and that it is broadcast live for increased trust and transparency. Likewise, to enter the vault room, participants must go through several security measures, such as access cards and fingerprint and retina scanners. In addition to community witnesses, the entire process is audited by an external auditing firm that is not affiliated either with Verisign or with ICANN.
Without a doubt, the quirkiness of the ceremony justifies its fame. But beyond its quirks, however, it is an example of the transparency, security, and trust behind an operation that is so essential for the functioning of the Internet, and something in which LACNIC, as an organization committed to the proper functioning of the entire system, has the honor of participating.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.
