FR

10 years of DNSSEC at the root: The Story of a Trusted Community Representative

By Alain AINA
July 22, 2020

The Domain Name System (DNS) is considered to be an important pillar in the operation of the Internet. However, it was built devoid of any strong security mechanism to ensure data integrity or authentication.

The Domain Name System Security Extensions (DNSSEC) adds data origin authentication and data integrity to the Domain Name System.

Addressing these known issues with the DNS evolved through multiple phases of standardization and adoption.

The DNSSEC history project provides a timeline, which presents the evolution of DNSSEC.

DNSSEC-bis standards, published in early 2005, set the foundations of the DNSSEC we know today.

The year 2005 witnessed the signing of 1st TLD and the beginning of series of actions from early adopters and other enthusiasts. A long DNSSEC journey has elapsed since then, with many events, milestones, including the signing of the root.

I- Signing the root

You may remember that root servers published signed root zone data for the first time on 15 July 2010. This event only happened five years after the DNSSEC-bis standards were published and the first TLD signed.

I recall some of the controversies, which occurred around signing the root zone, but I will spare you these details in this publication. These controversies and palavers are part of the history, which I believe, led to the robust and trusted DNSSEC at the root – which is the subject of this story.

The global community was convinced at some point that within the DNS hierarchy, signing the root was critical and needed. The positive response to the NTIA’s Notice of Inquiry in October 2008 led to a joint effort between NTIA, ICANN and VERISIGN to deploy DNSSEC at the root which started in Q4, 2009.

Three main requirements transpired from the implementation plan:

1- Transparency

Processes and procedures should be as open as possible for the Internet community to trust the signed root

2- Audit

Processes and procedures should be audited against industry standards, e.g. ISO/IEC 27002:2005

3- High Security

Root system should meet all NIST SP 800-53 technical security controls required by a HIGH IMPACT system

The High Level Timeline was followed and on 15th July 2010, signed root zone was made available.

Two important milestones to this great achievement were the first KSK ceremonies:

• On June 16, 2010:ICANN holds first KSK ceremony event in Culpeper, VA, USA
• On July 12, 2010: ICANN holds second KSK ceremony event in El Segundo, CA, USA

During the ceremony held on the June16, 2010, TCRs were enrolled in their different roles (Crypto Officers, Recovery Key Share Holders, Backup Crypto Officers, and Backup Recovery Key Share Holders), HSMs were initialized, the first root KSK was generated and root key material was signed.

(2010-06-16T21:19:24Z: [info] . IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5)

And so, what is a TCR?

The signing of the root key materials is done through a procedural event, the “KSK Ceremony” with an active participation of some individuals known as “Trusted Community Representatives (TCR)”.

To meet requirements #1 and #3 listed above, and to improve community confidence and acceptance of the DNSSEC at the root, it was decided to invite recognized members of the DNS technical community to be part of the key generation, key backup and key signing process for the root.

These persons acting as trusted representatives of the Internet community participate in the root key generation and signing ceremonies. They are called Trusted Community Representatives (TCRs).

I happen to be one of the TCRs; and this, thanks to my long history with DNS and DNSSEC. Some souvenirs ^[1] actually come to my mind when I try to revisit this history.

The implementation of the DNSSEC at root can be summarized through the picture below. You can see the locations, the people, the devices and the KSK ceremonies.

Picture 1: Root KSK ceremony

Over years and at each ceremony, TCRs made sure that ICANN meet the requirements, and improve processes over time. We witnessed: keys generation and escrow, periodic signing of root DNSKEY material, decommissioning and introduction of Hardware Security Modules, first root KSK rollover, etc.

Covid-19 pandemic arose and stressed the contingency planning of the root KSK operations. Ceremony 41, planned at the East coast facilities in April 2020 to sign the 2020Q3 key material and replace two Trusted Community Representatives (Crypto Officers) myself included was readjusted.

The ceremony finally took place on schedule, but instead at West coast facilities with limited physical presence (mostly ICANN staff), but with TCRs involvement and remote attendance with live chat. The 2020Q3 key material was signed, but 2020Q4 and 2021Q1 key materials were also signed in anticipation that restrictions may span throughout 2020.

The picture below shows the team that did the job on ground.

Picture 2: Root KSK ceremony 41

And how did the first Root KSK rollover go? From #19036 to #20326

The first root KSK rollover process started on 27th October 2016 and the rollover finally took place on 11th October 2018. The new root KSK known as KSK-2017 was used to sign the root DNSKEY Resource record for the first time. The first-ever changing of the Root KSK was done.

The KSK-2017 key was generated during ceremony 27, which turned to be another important ceremony. I had the privilege to press the button to generate the new root KSK.

Picture 3: Pressing the key to generate the new Root key.

Picture 4: DS format of KSK-2017 painted on T-shirt

This KSK rollover process has its own history and is rich in lessons; yet another important milestone was achieved.

II- Are the fruits keeping the promises of the flowers?

DNSSEC with the signing of the root was as an important upgrade to the Internet infrastructure to help address today’s needs and create tomorrow’s opportunity.

That 16th June 2010, an important step was taken. The missing piece was added. The complete DNSSEC hierarchy is in place. Vint Cerf qualified what has happened by saying:

“More has happened here today than meets the eye. An infrastructure has been created for a hierarchical security system, which can be purposed and re‐purposed in a number of different ways.”

Where are we so far?

According to some statistics, as I write this paper, 90% of the TLDs are signed, and approximately, 4% of the SLDs are signed and 26% of the Internet users are validating signed zones data. GTLDs and many ccTLDs played their part. However, I must confess that despite all the efforts, only a few African ccTLDs followed the trends to sign their zones and accept DS from SLDs.

Overall, I think, it is been good so far, even though there is still a long way to go. Am I being too optimistic as a long-standing DNS/DNSSEC enthusiast? If you feel otherwise, please speak up.

In conclusion, I would say that, the joint effort that led to the signing of the root, has been an important achievement for the global DNS community and an exciting experience for all. It was a great privilege for me to serve as Trusted Community Representative The widespread acceptance of the DNSSEC at root within the community proves the relevance of the model and the subsequent decisions and choices.

Mission now accomplished as I believe, I owed you this story on the occasion the 10-years anniversary and while I wait for my handover ceremony.