Today was an unusual day. Perhaps the most interesting DNSSEC Key Signing Key (KSK) ceremony since Ceremony 1.
It was the first DNSSEC Root KSK ceremony post-ICANN-transition. The organization that is subcontracted to perform the IANA function is called PTI, which might stand for Post-Transition IANA, but actually stands for Public Technical Identifiers. In short, a wholly owned (for now?) subsidiary of ICANN to perform the operational function.
We retired the two oldest hardware security modules (HSMs) (keys deleted, zeroized, retained for physical destruction at a later date - yes, we have suggested Office Space, but the reality is likely to be shredding).
We swapped out for a new OSDVD software image, with several very minor changes including:
RSAC recommended changes of how long the signatures on ZSKs were good (as can be seen in the signer output attached - 15 vs. 21 days). The ksrsigner was modified so that 21 days was not an illegal value - it would have previously failed due to bounds/sanity checking.
Random typos in output fixed
X.509 OU change from “ICANN/IANA” to “PTI”
PGP wordlist tool added to os image.
And of course we created a new set of ZSKs as we do every ceremony.
Most interestingly, we created a new, KSK to replace the KSK which we’ve been using since 2010 (both 2048-bit RSA). Copy of DS record is attached (it’s the page with all the human signatures on it). Please note: THIS IS PROVISIONAL. Don’t retype it (you can’t cut and paste from my scan) as you received it from me; get it through formal channels. I’m only attesting that this is the key that we created at this ceremony. It’s not going to be live for a while yet anyway, and if there’s some kind of mishap we might have to regenerate it. In other words, it’s the first step in a series of events that will come to fruition in 2017q3.
Alain Aina (DNSSEC Crypto Officer) creates new 2048 bit KSK at Ceremony 27, while Internal Witness 1 Patrick Jones (left) and Ceremony Administrator Kim Davies look on: