In mid-October 2024, a new root signing ceremony was held, this time with three objectives:
Additionally, a set was signed in case it was necessary to withdraw the new key. This is in case of any emergency, for example, if publishing the new key causes some resolvers to have issues due to the new size. It is unlikely, this is the third rotation in history, and the others had no problems. But it is very important to have an “escape plan” for any emergency.
The new KSK-2024 key has the following DS hash and public key:
. IN DS 38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16
. IN DNSKEY 257 3 8 (
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jB
osZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnh
athWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZO
T4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9m
R7K2vaF18UYH9Z9GNUUeayffKC73PYc=
)
that you can verify on the official IANA site in various formats.
Additionally, a new operating system (coen-2.0.0) was launched that allows controlling the HSMs, which this time manages both models at the same time (remember that starting this year (in spanish only), Luna devices began to be used which will be the replacement for the original Keyper in the future). Although this time it was not necessary to sign with the new Luna, in the following ceremonies they will be used in parallel, signing with both at the same time. This will be necessary until the key rotation is completed, in a couple of years. After that, the Keyper will be decommissioned, and only the Luna will be used.
Once again, I wanted to thank the tremendous work of the “Root Zone KSK Operations Security” officials, Andrés and Aaron, who managed to schedule an impeccable ceremony!
Previous post: Ceremonia 55 de firma de la raíz del DNS