[dns-esp] Fwd: FW: Contingency plans for the next Root KSK Ceremony

Andres Pavez apavez.zavala en gmail.com
Jue Mar 26 19:20:11 -03 2020

Les reenvío un comunicado de IANA acerca de los planes para realizar
la próxima KSK ceremonia de la zona raíz dada las restricciones de
viajes y periodo de cuarentena que estamos viviendo.
Cualquier comentario es bienvenido.

On 3/25/20, 18:52, "root-dnssec-announce on behalf of Kim Davies"
<root-dnssec-announce-bounces en icann.org on behalf of
kim.davies en iana.org> wrote:

The IANA team, and the broader ICANN organization, have been giving
significant thought to the Coronavirus pandemic and its impact on root
zone KSK operations. Managing the KSK is centred on conducting "key
signing ceremonies", where trusted community representatives (TCRs)
attend from around the world to witness utilization of the root zone
KSK private key. This approach seeks to engender trust in the broader
community that the key has not been compromised, in addition to more
typical controls such as third-party auditing.

In light of world events we have developed contingency plans around
how to hold key ceremonies in the short term. To that end, we
identified a graduated set of options, in summary:

1.      Hold the next ceremony as planned on April 23, with a quorum
of participants globally.
2.      Hold the next ceremony on a different date using only US-based TCRs.
3.      Hold the next ceremony using our disaster recovery procedure,
which provides for a staff-only ceremony (i.e. no TCRs would be
physically present).

In general, our goal has been to navigate from Option 1, and if that
is not possible, Option 2, and so on. However, at this time, our focus
is on developing a plan around Option 3.

The ceremony is currently scheduled unusually early in the quarter (it
is typically held in May), and needs to be held to generate signatures
that will be needed in production for July. Our contingency plan is
comprised of:

·         Holding the ceremony with a bare minimum of staff (approximately 6);

·         Using 3 TCRs’ credentials, either by having their access key
transferred to us in a secure manner in advance of the ceremony, or by
drilling the safety deposit box that holds their secure elements.

·         Holding the ceremony under typical audit coverage, allowing
for remote witnessing of events by all, plus providing additional
opportunities for TCRs to stay involved in the process remotely.

·         Signing key materials to cover one or more subsequent
quarters, to provide relief from the need to necessarily hold
ceremonies later in 2020 if circumstances disallow it. (The additional
signatures would be withheld securely until they are needed.)

Our key management facilities were designed with the disaster recovery
capability of performing staff-only ceremonies in mind, but this is a
significant shift from normal operations and we want to promote
broader community awareness of this work. Those directly involved in
key ceremonies - the trusted community representatives, our vendors
and auditors - have been consulted and are broadly supportive of this

Should there be any specific feedback you would like to share with our
team, please email me <kim.davies en iana.org> and we will take it into
consideration as we finalize our plans.

Thank you for your support,

Kim Davies
VP, IANA Services, ICANN
President, Public Technical Identifiers (PTI)

Más información sobre la lista de distribución dns-esp