Every 3 months a special ceremony takes place in which new cryptographic “Zone Signing Keys” are being signed, which will be used the next quarter to secure the root DNS zone. These DNSSEC keys are the basis of every DNSSEC-protected domain name. A copy of the “Key Signing Key” required for this, is kept at two secure locations in the US. In order to be able to use it, multiple steps need to be taken during a lengthy ceremony, including the opening of two safes by IANA/ICANN staff. February 12th such a ceremony should have taken place. Since the expected life time of the safes had been reached, IANA had scheduled for them to be replaced. For one of the safes, the expected life time turned out to be extremely accurate: while trying to open it, the lock mechanism refused to cooperate.

A locksmith was summoned in a hurry. But in order not to damage the contents of the safe, he wasn’t allowed to pull out the big guns. And while the lock of the safe had ceased to function, the safe itself still wanted to proof its build quality. The locksmith ended up needing 28 hours in order to be able to open the safe.

Two days later than planned, the DNSSEC key signing ceremony could eventually take place. Because with every ceremony slightly more keys are being signed than needed for the next 3 months, there never was a danger for the root zone to run out of keys.

The eventual ceremony was live-streamed, just like all other such ceremonies had been for the last 10 years. You can watch the complete video, including two brand new safes, on the IANA website: https://www.iana.org/dnssec/ceremonies/40
Attention: it takes 2:30 hours and at many times is as exiting as watching paint dry.


Comments are closed.