A Special Meeting of the ICANN Board of Directors was held telphonically on 16 April 2020 at 15:00 UTC. Each Director waived notice of holding the meeting.
Maarten Botterman, Chair, promptly called the meeting to order.
In addition to the Chair, the following Directors participated in all or part of the meeting: Becky Burr, Ron da Silva, Sarah Deutsch, Chris Disspain, Avri Doria, Rafael Lito Ibarra, Danko Jevtović, Göran Marby (President and CEO), Mandla Msimang, Ihab Osman, Nigel Roberts, León Sánchez (Vice Chair), Matthew Shears, and Tripti Sinha.
The following Directors sent their apologies: Akinori Maemura.
The following Board Liaisons participated in all or part of the meeting: Harald Alvestrand (IETF Liaison), Manal Ismail (GAC Liaison), Merike Käo (SSAC Liaison), and Kaveh Ranjbar (RSSAC Liaison).
Secretary: John Jeffrey (General Counsel and Secretary).
The following ICANN Executives and Staff participated in all or part of the meeting: Susanna Bennett (SVP, Chief Operations Officer), Michelle Bright (Board Content Coordination Director), Xavier Calvez (Chief Financial Officer), Franco Carrasco (Board Operations Specialist), Mandy Carver (Senior Vice President for Government and Intergovernmental Organization (IGO) Engagement), Sally Newell Cohen (SVP, Global Communications), David Conrad (Chief Technology Officer), Kim Davies (VP, IANA Services), Sam Eisner (Deputy General Counsel), Dan Halloran (Deputy General Counsel), Jamie Hedlund (SVP, Contractual Compliance & Consumer Safeguard and Managing Director - Washington D.C. Office), John Jeffrey (General Counsel and Secretary), Aaron Jimenez (Board Operations Specialist), Sheila Johnson (Deputy General Counsel), Vinciane Koenigsfeld (Senior Director, Board Operations), Karen Lentz (Senior Director, Policy Research & Data Services), David Olive (Senior Vice President, Policy Development Support), Wendy Profit (Board Operations Senior Manager), Erika Randall (Associate General Counsel), Ashwin Rangan (SVP Engineering & Chief Information Officer), Lisa Saulino (Board Operations Specialist), Amy Stathos (Deputy General Counsel), Theresa Swinehart (Senior Vice President, Multistakeholder Strategy and Strategic Initiatives), Russ Weinstein (Sr. Director, gTLD Accounts and Services), and Gina Villavicencio (SVP, Global Human Resources).
- Main Agenda:
Contingency Plans for Key Signing Key Ceremony
The Chair introduced the agenda item and stated that the Board was considering contingency plans for the next key signing ceremonies in light of the COVID-19 pandemic. He explained that the key signing ceremonies, which generate the cryptographic signatures that allow the root zone to be properly authenticated using DNSSEC, are conducted in a highly transparent and accountable way, including the involvement of trusted community representatives from around the world. The ceremonies, which are generally held every three months, are conducted as specified by the DNSSEC Practice Statement.
COVID-19 has presented some challenges to how the ceremonies are generally conducted due to travel restrictions and social distancing orders in many jurisdictions around the world. The Chair noted that ICANN org has developed a set of options to hold the ceremony taking into account these challenges. He highlighted that the plans have been developed and discussed with the trusted community representatives and the broader operational community to come to the best way forward to retain stakeholder trust under current circumstances.
The Board discussed the plans to hold the key signing ceremony. Ron da Silva asked whether RSSAC or SSAC had provided any comments on the approach outlined in the contingency plan, and David Conrad and Kim Davies updated the Board about ICANN org's outreach efforts concerning the contingency plans. They noted that individual members of SSAC provided comments, and the plans were also provided to the Root Zone Evolution Review Committee (RZERC). There was also discussion on the DNS operations mailing list hosted by the DNS Operations, Analysis, and Research Center. ICANN org worked to address the comments as appropriate.
Harald Alvestrand asked which option in the continency plan was likely to be selected given current conditions, and Kim noted that the ceremony is proposed to move forward as outlined in Option C in light of the conditions. Lito Ibarra inquired about the communications plan for explaining any changes to how the ceremony would be conducted.
Matthew Shears asked whether there would be a role for the trusted community members to participate remotely, and Kim explained the steps that were being taken to ensure that those participating remotely would have an opportunity for more active engagement to make sure that they remain engaged in the ceremony.
Tripti Sinha moved and Lito Ibarra seconded the proposed resolutions. After discussion, the Board took the following action:
Whereas, ICANN, through its affiliate PTI, must regularly generate cryptographic signatures that allow the root zone to be properly authenticated using DNSSEC. This work is currently performed every three months using "key ceremonies" involving trusted community representatives from throughout the world, governed by the DNSSEC Practice Statement.
Whereas, in December 2019, a new strain of coronavirus, causing a disease referred to as COVID-19, emerged and on 30 January 2020 was declared by the World Health Organization (WHO) as a public health emergency of international concern. On 11 March 2020, the WHO publicly characterized COVID-19 as a pandemic.
Whereas, the COVID-19 pandemic challenges ICANN's ability to perform the key ceremonies according to policy, due to global travel restrictions and guidance from governments and health authorities to limit gatherings of people.
Whereas, in the face of the COVID-19 pandemic, ICANN has developed contingency plans with a graduated approach to holding the key ceremony, initially providing for maximum participation, and incrementally deciding upon alternatives if participation is not possible.
Whereas, there is sufficient uncertainty whether a subsequent ceremony can be held in an orderly manner later in the year, and there are options under consideration that will reduce this risk by holding a ceremony that produces cryptographic signatures for an extended period of time.
Resolved (2020.04.16.01), the Board finds the contingency plans to be in the best interests of ICANN and in the global public interest, and authorizes the President and CEO, or his designee(s), in consultation with the VP, IANA Services, to take all necessary steps to perform the key signing ceremonies as provided in the contingency plans.
All members of the Board present voted in favor of Resolution 2020.04.16.01. Akinori Maemura was unavailable to vote on the Resolutions. The Resolutions carried.
Rationale for Resolutions 2020.04.16.01
The Root Zone Key Signing Key (Root KSK) is managed using a system that deliberately disperses a number of trusted roles both logically and geographically as a security measure that is designed to reduce risk of collusion between parties to perform unplanned activity. In normal operations, many of these trusted role-players need to converge at one of two ICANN-managed sites (key management facilities, or KMFs) to perform "ceremonies" where each performs their role to perform essential KSK procedures, typically once every three months.
Due to the 2020 Coronavirus pandemic, ICANN org staff's mobility has been curtailed and other companies that supply these trusted roles are enacting similar policies. Further, governments have implemented travel restrictions that have a similar effect of reducing mobility. There is a significant risk that these events reduce participation below minimums that harm KSK management. Without effective contingency plans, the inability to perform successful KSK operations would ultimately mean a widespread catastrophic failure of the DNS.
- Board Remit
The Board's action on this matter is in-line with precedent concerning significant decisions around the operations of the DNSSEC key signing key that could have widespread community impact. In the past, the ICANN Board adopted a resolution authorizing proceeding with the first key-signing key rollover.
The Board's action today is to authorize the President and CEO, in consultation with the VP, IANA Services, to take all necessary steps to perform the key signing ceremonies as outlined in the following contingency plans. The ceremony management approach in the contingency plans contains two key components:
- A graduated approach to holding the ceremony, initially providing for maximum participation, and incrementally deciding upon alternatives if participation is not possible.
- Seek to implement a contingency to sign for additional quarters at the next ceremony, which will provide operational resilience against a period of anticipated high volatility.
The associated procedures and policies were updated to reflect these new procedures during a meeting of ICANN's Policy Management Authority on 6 April 2020. In particular, the DNSSEC Practice Statement1 (DPS) formally governs how KSK management is performed, and has been revised to allow for implementation of the presented options following proper authorization by management.
3.1 Planned scenarios for holding KSK Ceremony 41
The graduated approach consists of four options, ranked from most desirable to least desirable. Each has associated conditions and approval processes for moving to the next option:
3.1.1 Option A: Hold the April 2020 Ceremony as planned
The 41st KSK ceremony is currently scheduled for 23 April in Culpeper, Virginia. The ceremony can continue to be held that date according to normal procedure if the minimum number of attendees are present, including three trusted community representatives.
Key risks: Holding the ceremony as planned relies on international mobility of trusted community representatives which is currently severely compromised, and the future evolution of these restrictions is unpredictable. Staff mobility is also impacted domestically.
Proceeding to Option B: If in the judgment of the VP, IANA Services the situation does not stabilize with a high-level of confidence the ceremony can be held as scheduled, Option B shall become the preferred option.
3.1.2 Option B: Hold the ceremony with only US-based personnel
Three of the seven trusted community representatives for the Culpeper location are based in the US, two on the east coast and one on the west coast. Only two of the three can attend the ceremony scheduled for the selected date, so this option would identify an alternate date that can be attended by all three.
Key risks: This option relies upon ongoing domestic mobility of trusted community representatives and staff. It also assumes necessary personnel do not get sick or otherwise cannot attend, as there is no safety margin for non-attendance.
Proceeding to Option C: If in the judgment of the President of ICANN the ceremony cannot be committed to with a high level of confidence or otherwise cannot be executed by May 8, Option C becomes the preferred option.
3.1.3 Option C: Hold the ceremony only with Los Angeles based personnel and minimum in-person participation
The KMFs were expressly designed to allow for staff-only ceremonies in a disaster recovery ceremony to ensure key ceremonies are held as needed. The minimum essential personnel could perform a key ceremony in our El Segundo KMF on short notice. This would, however, not have the required number of trusted community representatives present in-person.
Key risks: This option requires a minimum number of staff and contractors to be available (i.e. not incapacitated or restricted in movement). It breaches the standard expectations on participation in key ceremonies, but is considered an option within scope of the disaster recovery procedure.
Proceeding to Option D: If the ceremony cannot be conducted by June 19, Option D becomes the ultimate option. The Board of ICANN shall make the final determination to move to Option D.
3.1.4 Option D: Suspend signing of the DNS root zone
This is the final option if there is no conceivable way to activate the KSK and perform signing operations. There would need to be a massive education campaign at short notice to have resolver operators disable DNSSEC validation. There is a high risk of widespread outages as it is not possible to ensure global implementation, and high risk this will fatally compromise trust in DNSSEC in general as a technology.
This is considered highly unlikely, but nonetheless the final option. Without exercising the option, in the absence of a successful key signing ceremony, DNSSEC validation would be unsuccessful starting in July 2020.
3.2 Sign key material covering two calendar quarters
A standard key ceremony generates signatures that cover one calendar quarter (3 months). Generating signatures that cover additional calendar quarters in this key ceremony will provide greater resilience to root zone operations during a period of ongoing uncertainty. Should a prolonged threat materialize, this additional time will allow for consideration of long-term changes to the current key ceremony model if necessary.
Based on the feedback from the trusted community representatives, we expect to generate signatures for three quarters, covering nine months. Such an action would relieve the need to hold a key signing ceremony for the remainder of 2020, therefore the next ceremony would be needed around February of 2021. The key material for the additional quarters would be held securely by ICANN and released to the Root Zone Maintainer in accordance with the normal schedule.
- Stakeholder Consultation
In preparing this approach, staff engaged with:
- those scheduled to take part in the April 2020 ceremony;
- the third-party auditor;
- the root zone maintainer;
- the vendors that support the key ceremonies;
- the trusted community representatives and former ceremony attendees;
- ICANN's Root Zone Evolution Review Committee, comprised of representatives of ICANN's various sponsoring organizations and advisory committees; and
- the DNS-OARC operations mailing list; and
- the KSK Rollover project mailing list.
General notice of this approach was also provided to our public announcement mailing list, comprised of around 700 subscribers interested in Root KSK management.
Discussions focused on the viability of elements of the proposal, their impacts on operations and the control environment, and steps necessary to retain the high levels of trust that ICANN enjoys with respect to how it manages the KSK.
- Fiscal Impact
This proposal is not anticipated to have a material fiscal impact beyond normal operational costs associated with KSK management.
- Public Consultation Requirements
This matter relates to IANA Naming Functions operations. Procedures that are used in KSK operations must be approved by the Policy Management Authority, an internal ICANN Org committee. There is no formal public comment requirement, however, IANA staff will continue to consult with the trusted community representatives and other stakeholders to implement and adapt these plans. A communications strategy will be developed to support awareness of any operational changes and impacts.
- Public Interest
The Board's action is within the public interest and within ICANN's mission as it will help to continue to ensure the stable and secure operation of the Internet's unique identifier systems. The inability to conduct the next key ceremony would result in widespread DNS resolution failure globally in July 2020 as DNSSEC would cease to function. The Board's action will help ensure that DNSSEC-enabled devices will be able to resolve any domain names.
- Key Risks
The following risk considerations were factored into the Board's deliberations on this action.
8.1 Travel of attendees is interrupted
The primary risk that this plan is designed to address is the inability of attendees to attend the key ceremony. The suggested mitigation is the graduated approach to different options to hold the ceremony, up to and including holding a ceremony only with staff in the Los Angeles metropolitan area, that will not require air or interstate travel.
8.2 Facility operator suspends access to facility
The company that provides the facilities in which the KMFs are based may suspend access as part of their response to the pandemic. The suggested mitigation would be to advocate to their senior management, through trusted proxies if necessary, to make an exception given the requirement to hold this ceremony to support critical Internet infrastructure and Internet operation. ICANN has been in discussion with the US Government about issuance of special guidance should it be necessary to retain the access needed to perform the key ceremony.
8.3 Government suspends access to the facility, and/or constrains travel
Governments at different levels may impose restrictions on travel or gatherings that impede the ability to hold the ceremony. ICANN can advocate for exceptions to be made through the appropriate channels, as described in the previous section, noting the requirement to hold this ceremony to support critical Internet infrastructure and Internet operation. In particular, ICANN has existing relationships with governments that can be used to seek such exemptions.
8.4 Staff become ill or otherwise indisposed
The minimum essential personnel may be incapable of performing the ceremony because they themselves are ill, quarantined or otherwise unavailable. The primary mitigation is IANA Services staff and other support staff from ICANN Org have been implementing social distancing since the beginning of March 2020 to limit potential transfer of illness. Additionally, there is approximately a three-month window to traverse the options presented, with sufficient slack to allow the exact date within each option to be adjusted to allow for recovery and still be held.
8.5 Option C undermines community trust in KSK stewardship
Holding a ceremony without the standard protections, including third-party community witnesses physically in the KMF, may dilute trust in the management and stewardship of the KSK. To mitigate this, the ceremony would still be conducted to audit standards, under supervision of a third-party auditor, and all materials (including comprehensive audit footage and ceremony artefacts) would be posted online as is standard. Live streaming of the ceremony would be provided and enhanced to allow those not present to observe and interject with concerns or questions. TCRs and other stakeholders have been consulted on how to conduct an Option C ceremony so it is performed to their maximum satisfaction given the necessary constraints. We would strive to obtain buy-in from TCRs and other stakeholders that this would be the right compromise given the alternatives.
Public Interest Registry (PIR) Change of Control
Item removed from agenda.
The Chair called the meeting to a close.
Published on 21 May 2020