Today in the small town of Culpeper, Virginia, ICANN technical staff played host to an unusual and somewhat arcane event. Volunteers from over ten countries made their way by plane, train and automobile to witness and participate in the generation of the cryptographic key that will be used to secure the root zone of the Domain Name System using DNSSEC for the first time.
During the ceremony, participants were present within a secure facility and witnessed the preparations required to ensure that the so-called key-signing-key (KSK) was not only generated correctly, but that almost every aspect of the equipment, software and procedures associated with its generation were also verified to be correct and trustworthy. The ceremony was conducted with the goal of ensuring that there is widespread confidence throughout the technical Internet community that the root zone, once signed, can be relied upon to protect users from false information.
Ceremony participants referred to an extremely detailed checklist and were able to confirm that every aspect of the process was executed exactly as planned. The entire event was video-recorded simultaneously by three separate cameras, and ICANN arranged for the whole system to be subject to a SysTrust audit, a process supported by the archived, unedited video footage and the legal attestations of key participants.
The path down the long road to Culpeper has required considerable effort and investment by ICANN, and has benefited from an extremely productive collaboration between staff at ICANN, VeriSign and the US Department of Commerce. ICANN, with the help of some talented consultants, has designed processes that are thought to surpass those of many commercial Certificate Authorities not only in the degree of openness and transparency in their design and execution, but also in terms of the security engineering involved.
The design of the overall system requires ICANN to execute a ceremony like this one four times per year. The next ceremony is scheduled to take place on July 12 in El Segundo, California, where ICANN has built a second facility intended to ensure continuity for the DNS (and hence Internet users world-wide) in the event of a serious disaster in one location.
All design documentation for the ceremony will be published by ICANN, not only to promote transparency in the process for the root zone, but also to act as a valuable reference to any other organization that needs to build similar systems to support DNSSEC in top-level domains, enterprises, or anywhere else. The deployment of DNSSEC in the root zone of the DNS will hence not only act as a catalyst for global DNSSEC deployment because of the special nature of the root zone, but also because of the design and engineering investment ICANN is giving back to the wider community.