Key Signing Ceremony scheduling
Key Signing Ceremonies are public events, designed to promote awareness of this key piece of trust for the Internet’s domain name system. This document provides an overview of when ceremonies are conducted, and the running order of events.
Scheduling ceremony dates
We schedule key ceremonies based on the requirements of the Root Zone DNSSEC Practice Statements, which provide parameters that inform when we are able to hold ceremonies. In normal operation, because each ceremony produces three months worth of cryptographic material, we need to hold ceremonies four times a year.
The precise time windows in which key ceremonies can be conducted are prescribed by the DPS.
Setting the date
The four routine ceremonies per year are usually held to the following schedule:
|Jan-Feb||Q2 ZSKs||California (US West Coast)|
|Apr-May||Q3 ZSKs||Virginia (US East Coast)|
|July-Aug||Q4 ZSKs||California (US West Coast)|
|Oct-Nov||Q1 ZSKs||Virginia (US East Coast)|
Our goal is to set each ceremony’s date at least six months in advance. We choose the dates after soliciting availability from potential TCRs and ceremony personnel, as we need a certain minimum number of these roles to be filled to be able to successfully hold a ceremony. We try to avoid conflicts with major Internet governance and operational meetings, as well as significant national holidays that may widely impact travel, but at times this may not be possible to avoid.
Standby ceremony dates
The day following a regularly scheduled ceremony is held as a standby date. In the event an unrecoverable problem prevents us from completing a key ceremony, we will seek to remediate the issue and reconvene a day later to re-attempt the key ceremony. In the event this is not possible, a new ceremony will be scheduled at a later date.
Emergency key ceremonies
In the event of an emergency, a key ceremony may need to be called with very little notice. For example, a new KSK or ZSK may need to be generated or signed due to an unforeseen security issue the has compromised their trustworthiness. In such cases a ceremony could be conducted with as little as 48 hours notice.
Ceremony Running Order
A routine ceremony to only sign ZSKs for a quarter typically runs as follows.
|T-1:30||Ceremony participants arrive at facility, and go through security formalities to be admitted.|
|T-1:00||Light snacks and beverages provided to participants in the facility cafeteria.|
|T-0:15||Participants are escorted by ceremony staff into Tier 3, formally log in on the KMF attendance sheet, and into Tier 4 and take seating.|
|T+0:00||Scheduled ceremony start time. Live-streaming of the ceremony commences, and ceremony is conducted according to script that is published in advance.|
|T+3:00||Typical ceremony is concluded, assuming no exceptions and no additional tasks (see below.). Live-streaming concludes.|
|T+3:15||Participants meet to review the ceremony, discuss areas for improvement on how ceremonies are conducted, and discuss future developments relevant to performance of key ceremonies.|
|T+4:00||Participants leave facility. Typically an informal gathering is arranged off-premises for those able to attend.|
Additional Tasks and Complications
The timeline above accounts for a typical ceremony, however, there are additional administration tasks and complications that may extend the running time of a ceremony. When known in advance, these will be documented in the ceremony script and preliminary agenda.
Examples of tasks and complications that will extend the length of a routine ceremony:
- Updating the HSMs. HSMs have a limited lifespan due to an internal battery that can not be replaced on-premises. From time-to-time HSMs will be replaced with new units.
- Replacing a TCR. If a TCR’s term is concluding, a new TCR will need to be inducted to replace them. The procedure varies depending on whether both TCRs can be present together.
- Creating a KSK. Creation of a KSK, as opposed to signing with an existing KSK, is an additional task performed from time-to-time.
- Rolling a KSK. The act of rolling a KSK is replacing one KSK with another, but with an overlapping window of use. Due to multiple fall-back scenarios, during a KSK roll there is additional signing steps in the ceremony that need to be conducted.
- Preventive maintenance. Maintenance on devices within the inner security tiers, such as replacing locks on safety deposit boxes within the credential safe, are conducted within the context of a ceremony.
- Handling exceptions. From time-to-time, there may be a need to deviate from the script. This could be due to a script error, a mis-step while following the script, the lack of available personnel, or an unexpected issue with the ceremony software or hardware. In such cases, attendees are consulted, a plan of action agreed, the plan executed, and the exception documented for the ceremony’s audit materials.