DNS root zone drama: Follow live the most important dullest ceremony you'll ever see

The Oscars it ain't but the key signing ceremony is vital

If you have literally nothing better to do today, we would recommend watching the most important but dullest ceremony you can catch online.

The eight-hour event is taking place today in Los Angeles and is being streamed live – just like the Oscars. Although without the music, or famous people, or speeches, or ball gowns.

OK, it is almost the anti-Oscars. But with dullness comes importance: the ceremony itself takes place four times a year, and basically secures the top-level of the internet's domain-name system for the next three months.

It is the key-signing-key ceremony for the DNS root zone, which is the roadmap of the web. When you look up, say, a .com, or a .org, or, er, a .black or .yachts website, the root zone is used to point your browser, or whatever app you're using, in the right direction to connect to that requested website. The key signing is needed to ensure miscreants can't tamper with the root zone without detection.

Twenty-five people will be locked into a high-security box for the whole day in order to create a pair of new public and private keys for the internet's DNS root. The keys will then be used by the rest of the top level of the internet to ensure safe and secure interactions between them, i.e., to make sure no one is able to hack the internet.

As we write this, the ceremony is already an hour in and will run until 5pm local time followed by 15 minutes catch-up, after which about half the attendees will fly back to virtually every corner of the globe.

It's also the fifth anniversary of the first KSK ceremony, which took place on 16 June 2010 and was used to introduce the DNSSEC security protocol at the root server level.

As part of the ceremony, some of the hardware that generates the keys will be replaced – something that ICANN says is "out of an abundance of caution" but really it's because the organization was embarrassed into doing so by the dot-com operator Verisign in a damning paper into the organization's technical abilities.

Smooth sailing

Although the ceremonies are painfully long, pedantic, and scripted down to the tiniest detail, things have often gone awry on the day itself.

For some reason, The Guardian suddenly became very excited about the ceremony in 2014 and sent along a reporter with a camera. He witnessed an unusual combination of high security and advanced technology combined with human farce. The worst was when an accidental door slam tripped a seismic sensor and locked everyone in a cage, forcing them to trigger an evacuation in order to get out and start again.

Far from the ceremonies becoming mundane, however, they are of increasing importance. Originally DNSSEC was used by only a few top-level domains, but now it is a contractual requirement for the 1,000+ new internet extensions that ICANN has introduced and will continue to introduce for the next six months.

The extra level of security being added to the DNS is also being increasingly used as a platform for more protocols and applications, such as DANE and a proposal to create the next generation of secure email.

If the master key generated by the ceremony was somehow stolen or misplaced, it would currently create a few technical headaches and internet engineers would lose their evening and possibly their weekend fixing it. But as we go forward and DNSSEC becomes the new norm, any slip-up with the key or ceremony would have enormous, widespread impacts across the globe as the entire system stopped trusting itself.

That's why the ceremony and its elaborate processes are vital. And why it's also vital that ICANN fix the technical issues that were highlighted by Verisign six months ago. That paper listed a series of mistakes made in and around the key signing and noted that they "could threaten to undermine trust in the entire process."

While the larger ICANN organization has repeatedly proven itself to be technically inept, the arm of the organization that handles the IANA contract has operated largely independently and possesses a far higher level of technical competence (albeit one criticized by Verisign).

It's unsure what impact there will be when ICANN takes over the IANA contract in 2016 and runs at least some of the technical functions through a new affiliate over which it is proposed ICANN will have full control. ®

Sponsored: Technical Overview: Exasol Peek Under the Hood

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019