Signing the root in public: The foundations of trust

By on 8 Jul 2025

Category: Tech matters

Tags: , ,

Blog home

Inside the secure facility in Culpeper, Virginia, ICANN staff operate in an inner secure zone with restricted access while we witness.

This November, I’ll travel again to Culpeper, Virginia, USA, to take part in a DNS root key signing ceremony, an event that plays a crucial role in the secure operation of the DNS. These ceremonies are held twice a year in two secure locations in the United States and ensure the continued integrity of DNSSEC, which allows signed domain names to be verified and trusted globally.

At the heart of this process is a cryptographic structure known as a Public Key Infrastructure (PKI). In the case of DNSSEC, it is used to establish trust in DNS data. There is a single Key Signing Key (KSK) at the root of this system. This KSK signs the Zone Signing Keys (ZSKs), which in turn are used to sign the actual contents of the root zone. Every DNSSEC-validating resolver begins its chain of trust from the root KSK, which is what makes this ceremony — and the transparency around it — so important.

The basics of key signing

The concept of signing is simple. A private key is used to sign data, and the corresponding public key is distributed so that others can verify the authenticity of that data. The challenge is in protecting the private key and ensuring that the signing process is conducted securely and transparently.

To keep the key safe, the ceremony relies on Hardware Security Modules (HSMs), which are tamper-resistant devices certified under the US Federal Information Processing Standard (FIPS 140-2). These HSMs are designed to protect the private key from compromise. If any tampering is detected, the device can automatically destroy the key. These modules are stored in highly secure facilities, are never connected to a network, and are only powered on under strict procedural controls.

Why a ceremony?

Rather than carrying out the signing process behind closed doors, the DNSSEC root KSK is managed through a formal key signing ceremony. This ceremony brings in members of the Internet community, like me, to act as witnesses. Our presence and oversight help to build and maintain public trust in the system.

I serve as a Trusted Community Representative (TCR), and my responsibilities during the ceremony fall into two categories:

  1. Observer: I physically attend the secure facility, witness the entire signing process, and verify that all procedures are followed precisely. This includes confirming the integrity of tamper-evident bags, verifying seals and serial numbers, and ensuring nothing is out of order.
  2. Keyholder: I hold a physical key that unlocks one of the inner boxes used in the process. Others hold keys to the safes that contain these boxes. No one person has access to the full set of materials; The system is built around an M-of-N scheme, where a quorum of participants must be present for the ceremony to proceed. This ensures no single person can act alone, and also provides redundancy if someone is unavailable.

There are additional roles in the ceremony. For example, Guardians who maintain backups of key materials in case of disaster. All of these roles are clearly defined and carefully distributed to avoid centralized control.

It’s important to note that TCRs do not handle the cryptographic key material directly. The actual signing operations are performed by ICANN staff, following a step-by-step scripted procedure. Every action is documented, witnessed, and countersigned. The ceremony is livestreamed for transparency. Attendance is logged, and entry and exit from the secure area are strictly controlled.

Refining the process

Like any complex process, there is always room for improvement. Each ceremony concludes with a review of lessons learned. These range from minor procedural tweaks, such as adding a plastic shield to prevent visual inspection of SD card contacts, to major disruptions, such as recovering from a failed safe lock that once caused a two-day delay. The process has evolved to become more robust with each iteration.

One ongoing concern, not directly related to my role, is the geographic centralization of the KSK infrastructure. Currently, both secure facilities are located in the USA. While this provides physical redundancy across the East and West coasts, it also places the system entirely within a single political jurisdiction. Should access be restricted by government action, TCRs, including those from other regions, could be prevented from fulfilling their roles. This raises the question of whether similar facilities should be established in other global locations, such as near ICANN’s Geneva or Singapore offices, to improve resilience and global legitimacy.

Why this matters

I’ve been fortunate to witness the professionalism and care with which the ICANN team conducts the ceremony. Everyone involved takes their role seriously, and the collaborative environment makes clear that this process exists for the benefit of the entire Internet community. At APRICOT 2025 earlier this year, I reported on the 2024 ceremony, and I look forward to sharing insights from the upcoming event in November 2025.

Being a TCR is a responsibility I value highly. I take pride in ensuring it’s done properly and transparently. That’s a meaningful way to contribute, and I encourage others to explore similar community oversight roles in their own regions.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

Top