[dns-operations] [Ext] Re: Contingency plans for the next Root KSK Ceremony

Kim Davies kim.davies at iana.org
Fri Mar 27 00:55:41 UTC 2020

Hi Sergey,

Quoting Sergey Myasoedov on Friday March 27, 2020:
> There is no specific concern. Any KSK operation can be performed without the physical 
> TCRs presence. There is no other source of confidence except TCRs, and their absence 
> or accessing the private key without their presence isn’t good for trust.

Hopefully our approach does not depend solely on TCRs for confidence.
We've consciously sought to operate a highly transparent process
that allows anyone who is interested - not just TCRs - to witness
proceedings and be involved, either in person or remotely. Further,
we are audited by a third-party audit firm using the SOC 3 framework
(formerly SysTrust), and have received unqualified opinions each year
since we first started in 2010: https://www.iana.org/about/audits

Another key protection is we seek to disseminate all the relevant
materials from the ceremony. All audit footage, software used, and
the logs and artefacts generated are posted online for download and

Certainly if there is a perception that trust hinges critically on TCRs,
we've either not communicated the breadth of the controls well enough,
or we need to do more to instill trust. Just as the security envelope
for the KSK involves multiple overlapping physical security controls,
maintaining trust in KSK management should involve multiple overlapping
trust mechanisms to satisfy the community.

> I understand the extraordinariness of the moment, and if you have no choice, you’ll jump to 
> Option 2 and Option 3 then. Is the disaster recovery procedure (Option 3) the one that should’ve 
> been done on Verisign’s disaster recovery site? Does it require to access the cards? Or we’re 
> discussing the non-disaster remote ceremony?

We do not have any disaster recovery sites, and we do not use any
sites operated by Verisign. We have two replica sites which, in normal
operations, we alternate holding key ceremonies. We can use either to
perform a key ceremony. Verisign operates their own infrastructure as it
pertains to managing the ZSK for the root zone.


More information about the dns-operations mailing list