DNSSEC KSK Ceremony 43

Well somehow it’s coming towards the end of 2021 already, which means it’s nearly time again for one of my favourite Internet quirks: a DNSSEC KSK ceremony, number 43 to be exact. What’s a DNSSEC KSK ceremony? Well I covered it in quite verbose detail in my series on DNS earlier this year, but here’s a shorter version:

The domain names we’re all familiar with (like google.com, twitter.com, etc.) are recorded in and distributed via the Domain Name System, or DNS. The DNS is a hierarchy of servers, each responsible for one zone. A zone is essentially a list of information for all the domain names with a given suffix. For example, in the domain name google.com.au, there is the au zone, the com.au zone, and the google.com.au zone.

There’s also the most important zone, the root zone. The root zone is the top of the hierarchy and contains information about all the top-level domains, such as com, net, org, au, xyz, etc.

From the early days of the Internet until around the 2000s, there was no way to verify the authenticity of DNS data, meaning anyone between say, your computer and Google’s DNS servers, could tamper with DNS responses and make you think you were visiting Google, whilst they actually lead you somewhere else entirely.

Many of the risks caused by this lack of authenticity have now been mitigated via the deployment of encryption standards like TLS, but there are still merits in ensuring DNS data can be authenticated.

Enter Domain Name System Security Extensions, or DNSSEC. DNSSEC allows for a chain of authenticity to be built from any domain name all the way back to the root zone. I won’t go into the specifics of DNSSEC, as I covered it in my earlier series, but the long and short of it is that something needs to be the final “anchor” of this chain of authenticity. This anchor is the Root Key Signing Key (Root KSK).

Because the Root KSK is the anchor of authenticity for the whole of the DNS, it of course needs to be handled both very securely and very transparently, so that the Internet community at large can be sure that it is trustworthy. This transparency manifests primarily through quarterly “ceremonies”, which are the only times that the Root KSK can be accessed, and are when digital signatures for the upcoming three months of DNSSEC operation are generated. Again, there’s more coverage of the specifics in part 3 of my earlier series.

Where did we leave off at the last ceremony?

Before we get to the upcoming Ceremony 43, we’ve got to cover a few details going back to Ceremony 40 in February 2020, which was the last pre-COVID ceremony.

During Ceremony 40, the lock on one of the safes at the California DNSSEC facility wouldn’t open and it took a locksmith around 20 hours to drill it out. Due to the massive delay this caused, one of the scheduled tasks for Ceremony 40, the destruction of Hardware Security Module HSM3, was postponed until the next ceremony scheduled to happen at the California facility, Ceremony 42.

But that would soon go even more pear-shaped with the outbreak of COVID-19 around the world. People travelling from around the globe and gathering in a small room for a few hours was just about the best way to guarantee spread of COVID, and would also be difficult or impossible due to travel restrictions, and so ceremonies 41 and 42 were drastically modified to make them as safe as possible.

The main modifications were that the majority of participants participated remotely, both ceremonies were held at the California facility instead of alternating with the Virginia facility, only critical tasks were performed, and nine months’ worth of digital signatures were generated instead of three to allow the ceremonies to happen less frequently.

With all that, HSM3 in California is still currently pending destruction, but that won’t happen this ceremony either, as now that we’re moving towards COVID normality, Ceremony 43 is being held at the Virginia facility.

Ceremony 43

Ceremony 43 is happening on Thursday Oct 14th at 1700 UTC (which is 4am here in Sydney!) at the Virginia DNSSEC facility. It’ll be the first ceremony to happen there since Ceremony 39 in November 2019, so hopefully we won’t have any issues with safes having stubborn locks!

Well actually, spoiler alert, both safes at the Virginia facility were opened back in June to allow locks and combinations to be changed, so they should(fingers crossed!) open up fine during the ceremony next week. HSM4 and 5E were also booted up (but not activated/unlocked) to ensure they’re still functioning normally.

Most of the COVID alterations present in ceremony 41 and 42 won’t be used for Ceremony 43: only the standard three months’ worth of signatures will be generated and three Crypto Officers (COs) will attend in-person. Participating remotely will be representatives from Verisign, external auditors, and a fourth CO as a backup, who has sent their safe deposit box key to IANA in a tamper-evident bag, as all required COs did for ceremonies 41 and 42.

Besides the standard signature generation, one additional task will happen: the commissioning of a new Hardware Security Module, designated HSM6E.

You can find the proposed script for the ceremony on the ceremony’s page on IANA’s website, along with records from the Administrative Ceremonies in June when the Virginia safes were last opened.

I’ll be following along and live tweeting the ceremony. You can watch live too on YouTube. If you have any questions in the mean time, feel free to reach out on Twitter or down in the comments.

UPDATE (14 Oct): The ceremony went without too many hiccups. Read this Twitter thread I wrote during the ceremony for all the details 👇🏻

UPDATE (3 Nov): The final materials from the ceremony are now available on the IANA website, including the audit camera footage and annotated scripts.

The main exception that I wanted to confirm in the annotated script happened at Act 5 Step 9. The CA sealed the KSK backup card into its new TEB without first putting it into its plastic holder. I mentioned this on Twitter as it happened and also wrote down the new TEB’s number, as it would now be different from the one in the draft script. The number recorded in the exception in the annotated script matches the number I wrote down during the ceremony: BB46584614.

That’s all from Ceremony 43 now. Ceremony 44 will take place around February 2022.