Skip to main content

Conducting a Key Signing Ceremony in the Face of COVID-19

Four times a year, ICANN brings together experts from around the world to perform a "key signing ceremony" — a critical operational event that is fundamental to how we secure the Domain Name System (DNS). In light of the COVID-19 pandemic and related stay-at-home orders and travel restrictions, the IANA team has been focused on how to continue these operations successfully. This week, our planning will culminate in a unique key signing ceremony that has been altered to accommodate for the current environment.

Key signing ceremonies are special operational events where we use the cryptographic keys that secure the DNS root zone. During these ceremonies, we retrieve the root zone key signing key (KSK) — a kind of master key that protects the DNS — from its secure protections and generate three months of cryptographic signatures to be used for the daily signing of the root zone. The system is designed to involve a diverse group of security experts in the community, who we call Trusted Community Representatives, to access the KSK. These community members are distributed globally by design to help minimize risk; they only convene in the same place when we hold a ceremony.

Key signing ceremony planning begins six months in advance. In February, we became aware that COVID-19 could impact the ceremony scheduled for April. ICANN org was evaluating the risks for events such as ICANN67, and it was clear there was potential for significant impacts on our ability to perform a key signing ceremony because of our need to bring people together from around the world. With COVID-19, the distribution of roles around the world is designed to reduce total risk in normal operations, but in this case causes significant challenges to conducting a normal ceremony.

Many different facets of ceremony operations were evaluated. Could we hold it in a different place? Could we arrange travel in a way that minimizes the risk to the travelers? Could we delay the ceremony until things get back to normal? We considered many different configurations, and tested our ideas in several community forums with those that participate in the ceremonies, ICANN org staff, and our suppliers.

Ultimately, with the approval of the ICANN Board, we are proceeding with a modified ceremony that minimizes the need for in-person participation. Using this alternate approach, the Trusted Community Representatives will not be physically present. Instead, their role will be performed remotely, as will other roles that are traditionally performed in-person. In total, we will have only seven people physically in our secure facility performing the ceremony, all taking precautions to minimize COVID-19 risks. All of the other roles will be performed remotely.

Secure elements used in the ceremony that are held by Trusted Community Representatives have been transferred independently to different ICANN org staff members in the Los Angeles area for safekeeping. We will perform the ceremony with full transparency using online streaming, and will continue to involve the Trusted Community Representatives actively in the proceedings via remote participation.

Another important change we are making is to generate nine months of signed material, rather than the normal three. By doing this, there will be no need to hold another key ceremony for the remainder of 2020. The extra signed material will give us breathing room before seeking to return to our normal operational approach in 2021.

We are confident that we have designed an approach that retains all the necessary security protections to give full assurance that the KSK is secure, while making the necessary adaptations to ensure that the fundamental Internet operations everyone relies upon are not impacted. While it is regrettable that we need to make these changes, maintaining the safety of our community members and our staff is paramount. We must hold the ceremony in this format for everyone's wellbeing.

At 1700 UTC on Thursday, 23 April, we will conduct this newly configured key signing ceremony. It will be streamed online and anyone is welcome to watch. The livestream, script, and other materials will be available at https://www.iana.org/dnssec/ceremonies/41.

If you're interested in learning more, we recently gave an in-depth presentation to the RIPE Community on some of the challenges. A recording of the presentation and the associated slides can be found at https://www.ripe.net/participate/ripe/wg/dns/remote-sessions.

Comments

    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."