Skip to main content

Welcome to the new ICANN.org! Learn more, and send us your feedback. Dismiss

Major Milestone for the Internet and ICANN | The KSK Key Signing Ceremony is Now Complete

Today in the small town of Culpeper, Virginia, ICANN technical staff played host to an unusual and somewhat arcane event. Volunteers from over ten countries made their way by plane, train and automobile to witness and participate in the generation of the cryptographic key that will be used to secure the root zone of the Domain Name System using DNSSEC for the first time.

During the ceremony, participants were present within a secure facility and witnessed the preparations required to ensure that the so-called key-signing-key (KSK) was not only generated correctly, but that almost every aspect of the equipment, software and procedures associated with its generation were also verified to be correct and trustworthy. The ceremony was conducted with the goal of ensuring that there is widespread confidence throughout the technical Internet community that the root zone, once signed, can be relied upon to protect users from false information.

Ceremony participants referred to an extremely detailed checklist and were able to confirm that every aspect of the process was executed exactly as planned. The entire event was video-recorded simultaneously by three separate cameras, and ICANN arranged for the whole system to be subject to a SysTrust audit, a process supported by the archived, unedited video footage and the legal attestations of key participants.

The path down the long road to Culpeper has required considerable effort and investment by ICANN, and has benefited from an extremely productive collaboration between staff at ICANN, VeriSign and the US Department of Commerce. ICANN, with the help of some talented consultants, has designed processes that are thought to surpass those of many commercial Certificate Authorities not only in the degree of openness and transparency in their design and execution, but also in terms of the security engineering involved.

The design of the overall system requires ICANN to execute a ceremony like this one four times per year. The next ceremony is scheduled to take place on July 12 in El Segundo, California, where ICANN has built a second facility intended to ensure continuity for the DNS (and hence Internet users world-wide) in the event of a serious disaster in one location.

All design documentation for the ceremony will be published by ICANN, not only to promote transparency in the process for the root zone, but also to act as a valuable reference to any other organization that needs to build similar systems to support DNSSEC in top-level domains, enterprises, or anywhere else. The deployment of DNSSEC in the root zone of the DNS will hence not only act as a catalyst for global DNSSEC deployment because of the special nature of the root zone, but also because of the design and engineering investment ICANN is giving back to the wider community.


More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."