Witnessing the Signing of the .UY Zone
23/06/2022
By Carlos Martínez, LACNIC CTO
.UY, the Uruguayan TLD, updated its zone signatures using its Key Signing Key (KSK), a cryptographic key that allows signing the Domain Name System (DNS) zone and thus strengthening the system and increasing the trustworthiness of the Internet.
The KSK is used to digitally sign the set of zone-signing keys. Just as all other top-level domains (TLDs), .UY is responsible for signing its space using DNSSEC.
A globally accepted and recommended practice is to update the signatures, rolling over the keys. DNS signatures are peculiar in that their validation requires the help of the root.
A key rollover involves generating a new pair of cryptographic keys and distributing the new public key globally to all DNSSEC validating resolvers. This is a significant change, as every Internet query that uses DNSSEC relies on the KSK of the root zone to validate its destination.
If the root zone KSK is not up to date, the DNSSEC validating DNS resolvers cannot resolve DNS queries.
The mechanism that is used consists of dividing signatures in two parts: the ZSK (any change in your zone) and the KSK, which is the key used to build the trust chain upwards from .UY.
(Free access, no subscription required)
In the case of Uruguay, the key is updated every five years. The KSK is used to generate ZSKs; typically, twice the number of keys that are needed are generated.
The ceremony during which the new keys were generated in Uruguay was held at the Pocitos Data Center, where the hardware security module (HSM) server rack is located.
Who was present during the ceremony? Two crypto officers (each with a USB flash drive), a notary, and five witnesses were present for reasons of transparency.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.