DNS security and key ceremonies This post will focus on a key part of DNSSEC infrastructure — Root KSK ceremonies. These ceremonies exist to provide transparency to the Internet community around the creation, use, and storage of the Root KSK. Transparency is essential in establishing trust of the KSK — asking the Internet to just blindly trust something wouldn’t work, and rightly so! Read more: https://blog.apnic.net/2021/10/12/dns-security-and-key-ceremonies/
Wow I had no idea of all this. Thanks for sharing @Future Sensors . I liked this: “So, in a sense, there is a group of seven people with ‘keys to the Internet’, but on their own, without ICANN (and the tens-of-thousands-strong Internet community backing them), they’re powerless.”
So true. With SOA serial 2010071501 (July 2010) the DNS root was officially signed. The procedures have been polished since then, and trusted community representatives are selected from different geographic locations to avoid imbalance. Before the root was signed, there was a system that imitated a signed root: DNSSEC Lookaside Validation (DLV), which can be found in https://datatracker.ietf.org/doc/html/rfc5074
Root Zone KSK Ceremony #1 The first Key Signing Key (KSK) generation ceremony for the DNS Root Zone. In a sense, the KSK represents the "master key" that is anticipated to be used from July 2010 to secure the root of the DNS system. Taken on June 16, 2010 by Kim Davies CC BY-NC-ND 2.0 license Full album: Root Zone KSK Ceremony #1 https://www.flickr.com/photos/kjd/albums/72157624302045698
Rest In Peace, Dan Kaminsky (February 7, 1979 – April 23, 2021) Best known for discovering a fundamental flaw in DNS in 2008. https://en.wikipedia.org/wiki/Dan_Kaminsky#Flaw_in_DNS https://www.blackhat.com/presentati...BlackHat-Japan-08-Kaminsky-DNS08-BlackOps.pdf https://dankaminsky.com/ https://twitter.com/dakami This photo is from the same Root Zone KSK Ceremony. Taken on June 16, 2010 by Kim Davies CC BY-NC-ND 2.0 license
