February 2020


The .be-registry (DNS Belgium) was, many years ago, one of the very first registries capable of instantly updating information in their nameservers. So if you registered a new domain name, it would instantly be ready to be found. Many other registries have, also until now, stuck to a system of putting updates in a queue and then publishing the new information every hour or every couple of hours. DNS Belgium is however now also the first registry to stop the instant updates and purposefully introduce a delay.

Every 3 months a special ceremony takes place in which new cryptographic “Zone Signing Keys” are being signed, which will be used the next quarter to secure the root DNS zone. These DNSSEC keys are the basis of every DNSSEC-protected domain name. A copy of the “Key Signing Key” required for this, is kept at two secure locations in the US. In order to be able to use it, multiple steps need to be taken during a lengthy ceremony, including the opening of two safes by IANA/ICANN staff. February 12th such a ceremony should have taken place. Since the expected life time of the safes had been reached, IANA had scheduled for them to be replaced. For one of the safes, the expected life time turned out to be extremely accurate: while trying to open it, the lock mechanism refused to cooperate.