Today was an unusual day. Perhaps the most interesting DNSSEC Key Signing Key (KSK) ceremony since Ceremony 1.

It was the first DNSSEC Root KSK ceremony post-ICANN-transition. The organization that is subcontracted to perform the IANA function is called PTI, which might stand for Post-Transition IANA, but actually stands for Public Technical Identifiers. In short, a wholly owned (for now?) subsidiary of ICANN to perform the operational function.

We retired the two oldest hardware security modules (HSMs) (keys deleted, zeroized, retained for physical destruction at a later date - yes, we have suggested Office Space, but the reality is likely to be shredding).

We swapped out for a new OSDVD software image, with several very minor changes including:

  • RSAC recommended changes of how long the signatures on ZSKs were good (as can be seen in the signer output attached - 15 vs. 21 days). The ksrsigner was modified so that 21 days was not an illegal value - it would have previously failed due to bounds/sanity checking.

  • Random typos in output fixed

  • X.509 OU change from “ICANN/IANA” to “PTI”

  • PGP wordlist tool added to os image.

And of course we created a new set of ZSKs as we do every ceremony.

Most interestingly, we created a new, KSK to replace the KSK which we’ve been using since 2010 (both 2048-bit RSA). Copy of DS record is attached (it’s the page with all the human signatures on it). Please note: THIS IS PROVISIONAL. Don’t retype it (you can’t cut and paste from my scan) as you received it from me; get it through formal channels. I’m only attesting that this is the key that we created at this ceremony. It’s not going to be live for a while yet anyway, and if there’s some kind of mishap we might have to regenerate it. In other words, it’s the first step in a series of events that will come to fruition in 2017q3.

Alain Aina (DNSSEC Crypto Officer) creates new 2048 bit KSK at Ceremony 27, while Internal Witness 1 Patrick Jones (left) and Ceremony Administrator Kim Davies look on:

Alain Aina (DNSSEC Crypto Officer) creates new 2048 bit KSK at Ceremony 27

New 2048-bit DNSSEC Root Key, as soon as it gets imported in El Segundo and officially sanctioned

Ceremony 27 KSKs (note 21 day lifetime) and Ceremony 27 log