Witnessing the Signing of the .UY Zone
By Carlos Martínez, LACNIC CTO
.UY, the Uruguayan TLD, updated its zone signatures using its Key Signing Key (KSK), a cryptographic key that allows signing the Domain Name System (DNS) zone and thus strengthening the system and increasing the trustworthiness of the Internet.
The KSK is used to digitally sign the set of zone-signing keys. Just as all other top-level domains (TLDs), .UY is responsible for signing its space using DNSSEC.
A globally accepted and recommended practice is to update the signatures, rolling over the keys. DNS signatures are peculiar in that their validation requires the help of the root.
A key rollover involves generating a new pair of cryptographic keys and distributing the new public key globally to all DNSSEC validating resolvers. This is a significant change, as every Internet query that uses DNSSEC relies on the KSK of the root zone to validate its destination.
If the root zone KSK is not up to date, the DNSSEC validating DNS resolvers cannot resolve DNS queries.
The mechanism that is used consists of dividing signatures in two parts: the ZSK (any change in your zone) and the KSK, which is the key used to build the trust chain upwards from .UY.
In the case of Uruguay, the key is updated every five years. The KSK is used to generate ZSKs; typically, twice the number of keys that are needed are generated.
The ceremony during which the new keys were generated in Uruguay was held at the Pocitos Data Center, where the hardware security module (HSM) server rack is located.
Who was present during the ceremony? Two crypto officers (each with a USB flash drive), a notary, and five witnesses were present for reasons of transparency.
The HSM (a board inside the server) was turned on, a series of steps were followed, and the final product was the ZSK keys signed with the KSK.
A sort of digital signature was also generated which can be verified and is recorded in the minutes. Thus, anyone who wishes to do so can verify that the correct keys are being used. This adds transparency and guarantees the process.
The new keys were copied to two USB flash drives. One was taken to SECIU, the Central Computer Service of the University of the Republic; the other was stored in a bank vault. This copy of the keys serves as a form of backup to restore the HSM in case the original is destroyed.
The USB flash drive that was taken to SeCIU was used to upload the keys and perform the signing operations.
The same ceremony is held in each territory in the LACNIC service region at the local TLDs.