DNSSEC root key signing ceremony
E37204
The DNSSEC root key signing ceremony is a highly controlled, regularly scheduled cryptographic event where trusted personnel generate and manage the root cryptographic keys that secure the global Domain Name System.
Aliases (4)
Statements (51)
| Predicate | Object |
|---|---|
| instanceOf |
DNSSEC operational process
→
cryptographic key management ceremony → security ceremony → |
| frequency |
held several times per year
→
|
| governingDocument |
DNSSEC Practice Statement for the Root Zone KSK Operator
→
ICANN DNSSEC Key Management Policy → |
| hasParticipantRole |
Auditor
→
Ceremony Administrator → Crypto Officer → External Witness → Internal Witness → Security Officer → System Administrator → Trusted Community Representative → |
| involves |
backup and escrow of key material
→
formal roll call of participants → generation of new Key Signing Key material → public publication of ceremony reports → signing of root zone key sets → verification of hardware security module integrity → verification of software checksums → |
| location |
Culpeper, Virginia key management facility
→
El Segundo, California key management facility → |
| operatedBy |
ICANN as the IANA Functions Operator
→
|
| output |
ceremony audit logs
→
root zone trust anchor material → signed root zone Key Signing Key → video recordings → |
| purpose |
to ensure trust in the DNSSEC root of trust
→
to generate and manage the DNSSEC root zone Key Signing Key → to securely sign the DNS root zone key material → |
| relatedTo |
DNS root zone
→
Domain Name System Security Extensions → ICANN → Internet Assigned Numbers Authority → root zone Key Signing Key → |
| scope |
global DNS root zone
→
|
| securityProperty |
ensures integrity of DNSSEC root zone keys
→
implements multi‑factor authentication for key use → implements quorum‑based key activation → implements separation of duties → |
| startYear |
2010
→
|
| trustModel |
forms the apex of the DNSSEC chain of trust
→
|
| uses |
formal scripts and checklists
→
hardware security modules → multi‑party control procedures → offline computing environments → physical security controls → smart cards → tamper‑evident bags → video recording of all critical steps → |
Referenced by (5)
| Subject (surface form when different) | Predicate |
|---|---|
|
DNSSEC root key signing ceremony
("DNSSEC Practice Statement for the Root Zone KSK Operator")
→
DNSSEC root key signing ceremony ("ICANN DNSSEC Key Management Policy") → |
governingDocument |
|
Domain Name System root zone
→
|
hasEvent |
|
Domain Name System root zone
("DNSSEC KSK")
→
|
hasKeyType |
|
DNSSEC root key signing ceremony
("root zone Key Signing Key")
→
|
relatedTo |