In mid-October 2024, a new root signing ceremony was held, this time with three objectives:

  • the normal one, which is to sign the upcoming ZSKs for the first quarter of 2025;
  • change to one of the TCRs. Frederico Neves, the director of Registro.BR from Brazil, is stepping down. He has been with us since the first ceremony. We thank him for all the time dedicated and his contributions to improving the ceremonies from the beginning. His replacement will be George Michaelson from APNIC, Australia.
  • include the new KSK-2024 in the DNSKEY set of the first quarter of 2025, thus initiating the key rotation phase. On January 11, 2025, this new KSK should be published alongside the current one, but the keyset will still be unsigned.

Additionally, a set was signed in case it was necessary to withdraw the new key. This is in case of any emergency, for example, if publishing the new key causes some resolvers to have issues due to the new size. It is unlikely, this is the third rotation in history, and the others had no problems. But it is very important to have an “escape plan” for any emergency.

The new KSK-2024 key has the following DS hash and public key:

. IN DS 38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16
. IN DNSKEY 257 3 8 (
         AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jB
         osZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnh
         athWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZO
         T4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9m
         R7K2vaF18UYH9Z9GNUUeayffKC73PYc=
         )

that you can verify on the official IANA site in various formats.

Additionally, a new operating system (coen-2.0.0) was launched that allows controlling the HSMs, which this time manages both models at the same time (remember that starting this year (in spanish only), Luna devices began to be used which will be the replacement for the original Keyper in the future). Although this time it was not necessary to sign with the new Luna, in the following ceremonies they will be used in parallel, signing with both at the same time. This will be necessary until the key rotation is completed, in a couple of years. After that, the Keyper will be decommissioned, and only the Luna will be used.

Once again, I wanted to thank the tremendous work of the “Root Zone KSK Operations Security” officials, Andrés and Aaron, who managed to schedule an impeccable ceremony!


Previous post: Ceremonia 55 de firma de la raíz del DNS