[dns-operations] iVenue and CommunityDNS.

Joe Abley jabley at hopcount.ca
Thu Mar 24 20:22:31 UTC 2011


On 2011-03-24, at 14:12, Simon Munton wrote:

>> They are well-known, their CEO can even reboot the Internet :
>> 
>> http://www.telegraph.co.uk/technology/internet/7914153/Briton-holds-key-to-the-internet.html
> 
> Clearly, raising awareness of DNSSEC, and the issues surrounding it, is important and it is the responsibility of all of us within the DNS space to do this - especially the key holders.

The phrase "key holders" continues to lead to confusion, as shown in that Telegraph article (and many others that were published around the same time).

To be clear, there are crypto officers (COs) who hold safety deposit box keys which allow them to participate in root key ceremonies, and they are recovery key shareholders (RKSHes) who each hold a share of a key used to encrypt a backup of the root KSK. That backup is in secure storage, managed by ICANN.

Paul Kane kindly volunteered to be an RKSH, was subsequently selected to perform that role, and attended the first ceremony in Culpeper, VA, USA in 2010. In the event of a significant disaster that caused complete data loss in both key management facilities, a number of RKSHes would be asked to travel to participate in a data recovery exercise.

At no time is any key material relating to the root zone KSK or ZSK held by a root zone CO or RKSH.

> I'm sure you all know full well Paul is perfectly aware you can't use a single smart card to "reboot the internet".

I think the concern is that some communications have resulted in the perception that root zone key materials are being held by individuals around the world. This is not the case.


Joe




More information about the dns-operations mailing list