For just over 10 years now, every three months, a diverse group of “Trusted Community Representatives” [1] get together in one of two data centres in the USA and follow an agreed script to sign a batch of Key Signing Requests (KSRs) provided by Verisign that, once returned with the proper signatures at the end of the process, will enable Verisign to publish the signed Internet DNS root zone to the DNS root servers for the Internet.
This process has quite a bit of redundancy built in to ensure continuity, but the ceremonies need the physical presence of people to operate the machinery (for more details see section 4.2.2 of the ICANN DNSSEC Practice Statement (DPS)).
The DPS itself calls for a disaster recovery plan that contemplates the possible loss of the four Hardware Security Modules (HSMs) in the two facilities. Even then, we still need humans.
An issue that has always floated around the process has been the possibility that the USA would close its borders in the event of turmoil (war, widespread discontent, and so forth). Never did anyone think a virus would be the cause of such an event. And yet, here we are, “The best-laid schemes o’ mice an’ men Gang aft agley” [2].
It’s not quite an immediate problem, as we’ve generated signatures until the end of June 2020. The ceremony carried out in February generated the necessary signatures, not without its own set of incidents mind you, but we need a course before that date to produce the next batch of signatures. Any responsible operator, which the IANA operator has proven to be, needs to think ahead and so we now have an open discussion on how to proceed.
Several options are on the table and input is being sought. The least desirable but, simultaneously, the most likely given the current situation, will be a ceremony using the part of the disaster recovery process where only California-based ICANN staff, and possibly a locksmith, go into the facility in Los Angeles and force their way into the security deposit boxes containing the necessary credentials (no safe drilling this time, as the set of ICANN staff that can forcibly open the safes are presumed to be on site) and perform the signing while everyone else watches attentively. I would expect these Trusted Community Representatives to pay particularly close attention, if nothing else, because we are familiar with the process and can ‘spot the difference’, not to mention the fact that our role is to provide accountability on the Internet’s behalf.
Who would’ve thought that in designing an open, accountable and clear process that handled the private key of the root of the DNS we would end up in a situation where a virus threw all these carefully formulated plans aside!
Footnotes
[1] Yes, I’m one of them!
[2] “To a Mouse, on Turning Her Up in Her Nest With the Plough, November, 1785” Robbie Burns.
This article was originally published on the APNIC blog.
Comments 1
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.
dsm •
His thanks for this we hosted BCS that day after the signing of the root for dnns sec, why not offer this to the internet bcs sg as a talk