DNS Root Key Signing Key Ceremony 57

02/07/2025

DNS Root Key Signing Key Ceremony 57
Designed by Freepik

By Hugo Salgado, DNS Architect at Tucows Domains

At the end of April this year, the 57th DNS Root Key Signing Key Ceremony took place at the facility on the east coast of the United States. Pía Gruvö, Ondřej Filip, Nomsa Mwayenga, and I participated as Cryptographic Officers.

This time, it was a regular process of signing the ZSK which will be published in the third and fourth quarters of the year and will continue with the pre-publication of the new KSK. Since we are currently in the middle of the KSK rollover process, we must be careful to generate different scenarios, considering emergency situations such as the retirement of the new KSK. That said, everything appears to be fine for now. A study conducted by Duane Wessels of Verisign shows that resolvers have accepted the new key at a rate of 90% after the month-long wait since it appeared in the root keyset in February 2025

(Free access, no subscription required)

(Image taken from “The 2024-2026 Root Zone KSK Rollover: Initial Observations and Early Trends”)

A new version of the operating system and HSM control tools, called coen v2.0.1, was used for this 57th ceremony.

Once again, the ceremony was executed flawlessly. Since becoming a Crypto Officer two years ago, this was the first ceremony with no exceptions to the script!

In the DNS root keyset, there are now two KSKs [the current (20326) and the new key (38696)], ZSK 53148 and its future replacement, 46441, which is scheduled to appear at the end of June, all signed by the current KSK 20326.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.

Subscribe
Notify of

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments