DNSSEC root key signing ceremony

E37204

The DNSSEC root key signing ceremony is a highly controlled, regularly scheduled cryptographic event where trusted personnel generate and manage the root cryptographic keys that secure the global Domain Name System.

All labels observed (6)

How this entity was disambiguated

Statements (51)

Predicate Object
instanceOf DNSSEC operational process
cryptographic key management ceremony
security ceremony
frequency held several times per year
governingDocument DNSSEC root key signing ceremony self-linksurface differs
surface form: DNSSEC Practice Statement for the Root Zone KSK Operator

DNSSEC root key signing ceremony self-linksurface differs
surface form: ICANN DNSSEC Key Management Policy
hasParticipantRole Auditor
Ceremony Administrator
Crypto Officer
External Witness
Internal Witness
Security Officer
System Administrator
Trusted Community Representative
involves backup and escrow of key material
formal roll call of participants
generation of new Key Signing Key material
public publication of ceremony reports
signing of root zone key sets
verification of hardware security module integrity
verification of software checksums
location Culpeper, Virginia key management facility
El Segundo, California key management facility
operatedBy ICANN as the IANA Functions Operator
output ceremony audit logs
root zone trust anchor material
signed root zone Key Signing Key
video recordings
purpose to ensure trust in the DNSSEC root of trust
to generate and manage the DNSSEC root zone Key Signing Key
to securely sign the DNS root zone key material
relatedTo Domain Name System root zone
surface form: DNS root zone

DNSSEC
surface form: Domain Name System Security Extensions

Internet Corporation for Assigned Names and Numbers
surface form: ICANN

Internet Assigned Numbers Authority
DNSSEC root key signing ceremony self-linksurface differs
surface form: root zone Key Signing Key
scope global DNS root zone
securityProperty ensures integrity of DNSSEC root zone keys
implements multi‑factor authentication for key use
implements quorum‑based key activation
implements separation of duties
startYear 2010
trustModel forms the apex of the DNSSEC chain of trust
uses formal scripts and checklists
hardware security modules
multi‑party control procedures
offline computing environments
physical security controls
smart cards
tamper‑evident bags
video recording of all critical steps

How these facts were elicited

Referenced by (6)

Full triples — surface form annotated when it differs from this entity's canonical label.

Domain Name System root zone hasKeyType DNSSEC root key signing ceremony
this entity surface form: DNSSEC KSK
Domain Name System root zone hasEvent DNSSEC root key signing ceremony
DNSSEC root key signing ceremony relatedTo DNSSEC root key signing ceremony self-linksurface differs
this entity surface form: root zone Key Signing Key
DNSSEC root key signing ceremony governingDocument DNSSEC root key signing ceremony self-linksurface differs
this entity surface form: DNSSEC Practice Statement for the Root Zone KSK Operator
DNSSEC root key signing ceremony governingDocument DNSSEC root key signing ceremony self-linksurface differs
this entity surface form: ICANN DNSSEC Key Management Policy
Culpeper, Virginia key management facility associatedWith DNSSEC root key signing ceremony
this entity surface form: DNSSEC root zone key ceremonies