For just over 10 years now, every three months, a diverse group of “Trusted Community Representatives”  (see section 4.2.2 of the ICANN DNSSEC Practice Statement (DPS)) get together in one of two data centres in the USA and follow a script according to that DPS to sign a batch of Key Signing Requests (KSRs) provided by Verisign that, once returned with the proper signatures at the end of the process, will enable Verisign to publish the signed Internet DNS root zone to the DNS root servers for the Internet.
This process has quite a bit of redundancy built in to ensure continuity but the ceremonies need the physical presence of people to operate the machinery.
The DPS itself calls for a disaster recovery plan that contemplates the possible loss of the four Hardware Security Modules (HSMs) in the two facilities. Even then, we still need humans.
An issue that has always floated around the process has been the possibility that the USA would close its borders in the event of turmoil (war, widespread discontent, and so forth). Never did anyone think a virus would be the cause of such an event. And yet, here we are, “The best-laid schemes o’ mice an’ men Gang aft agley” .
It’s not quite an immediate problem, as we’ve generated signatures until the end of June 2020. The ceremony carried out in February generated the necessary signatures, not without its own set of incidents mind you, but we need a course before that date to produce the next batch of signatures. Any responsible operator, which the IANA operator has proven to be, needs to think ahead and so we now have an open discussion on how to proceed.
Several options are on the table and input is being sought. The least desirable but, simultaneously, the most likely given the current situation, will be a ceremony using the part of the disaster recovery process where only California-based ICANN staff, and possibly a locksmith, go into the facility in Los Angeles and force their way into the security deposit boxes containing the necessary credentials (no safe drilling this time, as the set of ICANN staff that can forcibly open the safes are presumed to be on site) and perform the signing while everyone else watches attentively. I would expect these Trusted Community Representatives to pay particularly close attention, if nothing else, because we are familiar with the process and can ‘spot the difference’, not to mention the fact that our role is to provide accountability on the Internet’s behalf.
Who would’ve thought that in designing an open, accountable and clear process that handled the private key of the root of the DNS we would end up in a situation where a virus threw all these carefully formulated plans aside!
 Yes, I’m one of them!
 “To a Mouse, on Turning Her Up in Her Nest With the Plough, November, 1785” Robbie Burns.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.