DNS Root Key Signing Key Ceremony 57
02/07/2025

By Hugo Salgado, DNS Architect at Tucows Domains
At the end of April this year, the 57th DNS Root Key Signing Key Ceremony took place at the facility on the east coast of the United States. Pía Gruvö, Ondřej Filip, Nomsa Mwayenga, and I participated as Cryptographic Officers.
This time, it was a regular process of signing the ZSK which will be published in the third and fourth quarters of the year and will continue with the pre-publication of the new KSK. Since we are currently in the middle of the KSK rollover process, we must be careful to generate different scenarios, considering emergency situations such as the retirement of the new KSK. That said, everything appears to be fine for now. A study conducted by Duane Wessels of Verisign shows that resolvers have accepted the new key at a rate of 90% after the month-long wait since it appeared in the root keyset in February 2025
(Free access, no subscription required)

A new version of the operating system and HSM control tools, called coen v2.0.1, was used for this 57th ceremony.
Once again, the ceremony was executed flawlessly. Since becoming a Crypto Officer two years ago, this was the first ceremony with no exceptions to the script!
In the DNS root keyset, there are now two KSKs [the current (20326) and the new key (38696)], ZSK 53148 and its future replacement, 46441, which is scheduled to appear at the end of June, all signed by the current KSK 20326.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.