This year I was selected to be one of ICANN’s TCRs, the Trusted Community Representatives, to participate in the DNS Root Signing Ceremony. My particular role is to be Cryptographic Officer, responsible for guarding 1 of the 7 keys that allow access to the KSK.
In this article I want to explain what this job is about, oriented to people without deep technical knowledge in DNS/DNSSEC.
DNS is the protocol that allows domain names to function on the Internet. Through DNSSEC, digital signatures can be added to the DNS, so that any message carries a certificate of validity, which can be verified in real time by anyone who has access to those messages.
In this way, the DNS lets you know that www.fao.org is a website located at IP address 104.18.24.133, and DNSSEC adds a digital signature that certifies that the response was created by the World Food and Agriculture Organization, and that it is correct and complete.
For this certification, cryptographic keys are used, pieces of mathematical information that allow that only the authorized person can create signatures, and that anyone on the Internet can be able to verify them. Making a parallel with signatures in the real world, only you can draw your signature (no one can copy your strokes or the way you draw it), and we are all specialized experts who can verify that it is real and correct; and that no one copied it from somewhere else.
The DNS is hierarchical, in the sense that all the information starts from a root, and from there it is distributed to the rest of domain names. Following the example, www.fao.org is a name that is part of the fao.org domain, which in turn is part of the org domain, which is finally part of the root. Each organization is responsible for each label. www.fao.org is created and managed by FAO, whatever happens in org is created and managed by a body called PIR, and whatever happens in the root is managed by ICANN, the body in charge of the DNS root.
This same hierarchy is used for signatures. To verify that the DNS message from www.fao.org has correct signatures, it is checked that the mathematical proof is valid, using the FAO keys. But how do we trust the FAO keys? We have to go to their parent .org, who certifies that the fao.org key is correct. And how do we know that the org key is correct? We go to its parent, the DNS root, which certifies that the org key is correct. And finally, how do we verify that the root key is correct? Here there are no more parents, so this key has to be known all over the Internet. And this is how any computer, server, phone, or any device that uses DNSSEC, must know this last key, mother of all.
So we finally come to answer the original question: what is root signing? It is the creation of keys and digital signatures using cryptographic keys of the DNS root, which is the origin of the verification chain of all domain names on the Internet.
Root signing ceremonies are meetings where DNS root keys are accessed. In some ceremonies, new keys are created, in others the keys are signed, and there are also administrative activities such as backups, copying between different devices, and so on.
As you might suspect, this work has to be done very carefully. The keys are stored in specialized devices, called “HSMs” (Hardware Security Modules), boxes that are capable of generating keys and signing, and have extreme security controls. HSMs have internal devices that prevent them from being opened, knocked, and any physical tampering. In the event of any of these acts, they are automatically erased. To communicate with them, a special protocol is needed, they do not connect to any kind of network, let alone the Internet! Finally, in order to activate the HSMs, smart cards are needed, which are guarded by different people, and a minimum quorum is required to operate. This prevents anyone from activating them on their own, and requires a minimum number of other people, which prevents collusion.
Ceremonies are very controlled activities. Everything that is done must be written in a script, from the entrance to the room to the step-by-step of all activities. This script is available to anyone who wants to review it, and there are different people who audit and certify that it was followed correctly. IANA is certified for two external audits per year.
On the other hand, the HSMs are stored inside anti-intrusion bags, and then inside safes. The safes are inside a cage with restricted access, and this cage is in a special office in a data center guarded by armed guards.
IANA maintains two such facilities, each with a copy of the information. One is on the east coast of the United States (near Washington DC), and the other is on the west coast, in Los Angeles.
The TCRs are selected from different parts of the world, to represent the whole community. Currently there are 4 of us from Latin America, who share different roles and are divided between the two locations where the ceremonies are held.
As indicated in the previous question, to activate the HSM a quorum of smart cards is needed. These cards are guarded by “Cryptographic Officers”, and it is necessary that of the seven officers, at least three are present to activate them.
That is why my job as CO is to attend the ceremonies, present the card to the ceremony administrator, and certify that the activities that take place are faithful to the script. Finally, it is also important to make sure that the HSMs are deactivated after use, stored properly in their bags and safes, and guard the card until the next ceremony.
IANA maintains a site where all the policies, procedures, and scripts that control root signing ceremonies are publicly available: IANA DNSSEC Information.
You will also find the material for each ceremony, including the script with written notes, and a video of the entire activity! This video is streamed in real time and anyone can follow it, and there is even an expert present to answer your comments, so you can take advantage of the opportunity to ask questions right there.
Of course there was quite a stir about “the seven keys that control the Internet” :) There are quite a few press releases and articles, some more accurate than others.
And actually it has already appeared in some episodes of series ;)
Here’s a scene from the 2017 series “The Blacklist Redemption”, and another from “Elementary”.
There was also a visit from a famous Youtuber, who made a couple of notes.
And on a more serious side, the BBC made a documentary, of which I only got the first few seconds.
Next post: Publicada la nueva llave de la raíz: 38696
Previous post: Nueva KSK para la raíz del DNS, la ceremonia 53