Last week, the 25th DNS root key ceremony took place.
The context of this ceremony is that for DNS security purposes the root of the DNS is signed using a cryptographic key. The use of that key is subject to stringent access requirements and the ceremony provides the transparency that is needed for the Internet community to ultimately trust the authority and integrity of DNS data.
An in-depth explanation of the ceremony is out of scope for this post, but Ólafur Guðmundsson’s blog post gives a reasonable overview of the ceremony itself and the links in that article and our Deploy360 pages on DNSSEC should give you sufficient information if you want to deploy DNSSEC yourself.
The reason for this post is that I want to make two attestations and give a heads up.
Attestation one: I attest that Root Key Ceremony 25 took place according to the script with only one exception: the Ceremony Administration was not performed by Francisco Arias, but by Punky Duero.
Attestation two: During Act 2 of the the ceremony the Operating System DVD was replaced and the old OS DVD copies (Rev600) where discarded, conform step 11 of the script. I took one of the DVDs and using OpenSSL version 1.0.2e from OS X 10.11.4 I verified the SHA256 checksum of the disk. That checksum is exactly the same as the checksum recorded during ceremony 7 – step 12: 7da0d1c5eecb822d7bbd47b31d25e4f0f37bb8a46cfbe288d2b07b32f5e38146
There have been two disks used during the ceremonies, I only took one.
As an aside, the reason for the OS replacement is that the signer needed to be able to deal with the larger (2048 bit) zone signing keys that will be used to sign the root zone. More detail about the key-size increase can be found in this Verisign blog.
Heads up: The plans for the rollover of the root key are being developed. If you run a validating name server this may impact you. Please follow the developments around the KSK rollover project via https://www.iana.org/dnssec.
Pictures from the 25th ceremony by the author can be found on Flickr.