Update on KSK Ceremony 41

2020-04-14 Thread Kim Davies 
We are preparing for important changes to how we conduct KSK Ceremony 41.

In light of the global coronavirus pandemic, and the restrictions on personnel 
mobility, our team has assessed that our best approach for conducting the 
upcoming ceremony is to perform it using minimum personnel. Our approach has 
been informed by dialogue in various forums and with our partners.

We expect to hold the ceremony at the same time as originally scheduled of 23 
April 2020, 1700 UTC. However, the ceremony will now be held in our west coast 
facility in El Segundo, California. The ceremony page has been updated with 
this detail: https://www.iana.org/dnssec/ceremonies/41

These revised plans are subject to executive and board approval, expected later 
this week. Following formal approval we will share more comprehensive details.

Kim Davies
VP, IANA Services, ICANN
President, Public Technical Identifiers (PTI)
___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

___
By submitting your personal data, you consent to the processing of your 
personal data for purposes of subscribing to this mailing list accordance with 
the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website 
Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
link above to change your membership status or configuration, including 
unsubscribing, setting digest-style delivery or disabling delivery altogether 
(e.g., for a vacation), and so on.

Root Zone Trust Anchors updated

2017-02-03 Thread Kim Davies 
Yesterday, we successfully completed Root Zone KSK Ceremony 28. Part of this 
ceremony was to replicate a newly generated KSK in our key management facility 
on the US West Coast following its creation at the prior ceremony on the US 
East Coast in October 2016.

Now that the KSK is safely instantiated in both locations, we consider this KSK 
operational, and the Root Zone Trust Anchors file has been updated to reflect 
this. The KSK generated in 2010 is still being used today but it is planned to 
transition to the new key later this year. Software implementers should make 
sure they have up-to-date root zone trust anchors and/or update mechanisms such 
that either trust anchor can be used to verify the root zone KSK.

Information on the root anchors is at https://www.iana.org/dnssec/files

This work is part of the Root KSK Rollover project, more information is at 
https://www.icann.org/resources/pages/ksk-rollover

Kim Davies
Director, Technical Services
IANA Services

___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

IANA 2019 Engagement Survey

2019-09-19 Thread Kim Davies 
To the Root Zone KSK community:

We strive to continuously improve the delivery of the IANA Services to our 
customers and ensuring that we are providing the right level of engagement. 
This year, we have contracted Echo Research, LLC, an independent research firm 
to run our 2019 customer survey. Echo Research is committed to protecting the 
confidentiality of all respondents, and in doing so will follow GDPR guidelines 
as detailed by EFAMRA, the European Research Federation, written for market 
research members of ESOMAR world research,, and The Market Research Society 
(MRS).
The survey only takes 5-10 minutes to complete. Results will be announced 
towards the end of this year. Please click here to participate:

https://surveys.jibunu.com/EchoResearch_0001/index.aspx?L=2=7

We understand some of you are participants of multiple Internet communities. If 
you have received an individual email to participate in our survey, or if you 
are subscribed to other mailing lists where we are inviting customers to 
participate, we kindly ask that you only take the survey once.

We appreciate your time and look forward to incorporating your feedback in our 
engagement activities.

If you have any questions, please contact marilia.hir...@iana.org

On behalf of the IANA team,

Kim Davies
VP, IANA Services, ICANN
President, Public Technical Identifiers (PTI)
___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

___
By submitting your personal data, you consent to the processing of your 
personal data for purposes of subscribing to this mailing list accordance with 
the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website 
Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
link above to change your membership status or configuration, including 
unsubscribing, setting digest-style delivery or disabling delivery altogether 
(e.g., for a vacation), and so on.

Proposal for Future Root Zone KSK Rollovers

2019-11-06 Thread Kim Davies 
We would like to announce the Proposal for Future Root Zone KSK Rollovers has 
been released for public comment and is available for review on the ICANN 
website:

https://www.icann.org/public-comments/proposal-future-rz-ksk-rollovers-2019-11-01-en

We have reviewed the feedback received from the community, and tailored a plan 
based upon community feedback, operational complexity, and lessons learned in 
the first KSK rollover projects which concluded recently.

From a high level perspective, the plan includes a three-year rollover 
interval, with a period of about two years in a standby state before the 
rollover and active phase of the KSK.

The three-year rollover strikes a responsible balance ensuring that procedures 
and software remain sufficiently agile to adopt new keys as they are 
commissioned, while not introducing too much operational complexity through 
overly-frequent changes to the KSK.  The standby period will allow a longer 
pre-publication and consequently allow for the new KSK’s earlier use if there 
is a need to perform an emergency rollover.

The public comment period is slated to close at the end of January. We 
encourage you to submit your feedback so we may integrate it into the final 
approach.

For those at the ICANN 66 meeting in Montreal this week, we will be presenting 
the proposal to the DNSSEC session being held later today.


Kim Davies
VP, IANA Services, ICANN
President, Public Technical Identifiers (PTI)
___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

___
By submitting your personal data, you consent to the processing of your 
personal data for purposes of subscribing to this mailing list accordance with 
the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website 
Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
link above to change your membership status or configuration, including 
unsubscribing, setting digest-style delivery or disabling delivery altogether 
(e.g., for a vacation), and so on.

Reminder: IANA 2019 Engagement Survey

2019-10-04 Thread Kim Davies 
Colleagues,

We would like to remind you that the Annual IANA Engagement Survey is
open until October 11th. If you have not done so yet, please take 5
minutes to respond by clicking on this link: 

https://surveys.jibunu.com/EchoResearch_0001/index.aspx?L=2=7

The survey is administered by a third party vendor – Echo Research, LLC.
 
We look forward to your feedback.

On behalf of the IANA team,

Kim Davies
VP, IANA Services, ICANN
President, Public Technical Identifiers (PTI)
___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

___
By submitting your personal data, you consent to the processing of your 
personal data for purposes of subscribing to this mailing list accordance with 
the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website 
Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
link above to change your membership status or configuration, including 
unsubscribing, setting digest-style delivery or disabling delivery altogether 
(e.g., for a vacation), and so on.

Rescheduling Root KSK Ceremony 40

2020-02-11 Thread Kim Davies 
The 40th Root Key Signing Key Ceremony, originally scheduled for 12 February 
2020 at 2100 UTC in El Segundo, California, is being postponed.

During routine administrative maintenance of our Key Management Facility on 11 
February, we identified an equipment malfunction that will prevent us from 
successfully conducting the ceremony as originally scheduled. The issue 
disables access to one of the secure safes that contains material for the 
ceremony.

We are currently evaluating our options to reschedule the ceremony. We maintain 
a complete replica facility in Culpeper, Virginia, and the ceremony may be 
moved to that location depending on the nature and resolution time for the 
fault.

We will provide further updates as our contingency plans evolve.

There is no risk to the secure elements within our facility, and there will be 
no service interruption to DNSSEC as a result of this issue. We have multiple 
redundancies and we anticipate being able to relocate and reschedule 
ceremonies. We apologize for the inconvenience the attendees who had already 
travelled to participate in the ceremony. This is the first time a ceremony has 
needed to be rescheduled in the 10 year history of KSK management.

Kim Davies
VP, IANA Services, ICANN
President, Public Technical Identifiers (PTI)
___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

___
By submitting your personal data, you consent to the processing of your 
personal data for purposes of subscribing to this mailing list accordance with 
the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website 
Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
link above to change your membership status or configuration, including 
unsubscribing, setting digest-style delivery or disabling delivery altogether 
(e.g., for a vacation), and so on.

Update on Root KSK Ceremony 40

2020-02-15 Thread Kim Davies 
An update as of Saturday, 15 February 1600 UTC:

Remediation work is continuing on the safe. We will not be able to start the 
ceremony at 1800 UTC today, but still seek to perform it later in the day. We 
expect to be able to provide a more definitive start time once repairs get 
further along.

kim
___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

___
By submitting your personal data, you consent to the processing of your 
personal data for purposes of subscribing to this mailing list accordance with 
the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website 
Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
link above to change your membership status or configuration, including 
unsubscribing, setting digest-style delivery or disabling delivery altogether 
(e.g., for a vacation), and so on.

Update on Root KSK Ceremony 40

2020-02-12 Thread Kim Davies 
As an update to yesterday’s postponement:

Once we had ascertained we could not conduct the ceremony as originally 
scheduled, our first priority was to notify all impacted parties of the need to 
postpone. Once that was complete, we spent the evening reviewing our options 
with input from our expert staff and contractors.

Today, we held a briefing with the Trusted Community Representatives to discuss 
the equipment failure, our proposed approach to correct the fault, and possible 
dates to reschedule the ceremony. It was a very useful discussion where we 
explored the issues and developed a plan for moving forward.

The work to repair the malfunction is scheduled for Friday, 14 February. If 
this work is successfully completed on time, we expect to hold the Key Ceremony 
on Saturday, 15 February at 18:00 UTC. If further work is needed, we expect to 
know this by late Friday, and the new date for the ceremony will be announced 
in the upcoming weeks.

I'd particularly like to recognize the flexibility and willingness of the TCRs, 
our auditors, the RZM and our staff to make this happen.

kim

Kim Davies
VP, IANA Services, ICANN
President, Public Technical Identifiers (PTI)
___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

___
By submitting your personal data, you consent to the processing of your 
personal data for purposes of subscribing to this mailing list accordance with 
the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website 
Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
link above to change your membership status or configuration, including 
unsubscribing, setting digest-style delivery or disabling delivery altogether 
(e.g., for a vacation), and so on.

IANA 2020 Engagement Survey

2020-10-28 Thread Kim Davies 
Dear Root KSK Community,

Please help us evolve our engagement approach. As a valued member of one
of our key communities, your opinion is essential to helping us improve.

We have revamped the IANA annual engagement survey using the feedback
received last year. We also want to share our findings with you. As a
thank you for taking part, you will receive a complimentary summary of
our findings and outcomes.

WHAT NEXT?

Please use this link to take part:
https://surveys6.jibunu.com/EchoResearch_0002/index.aspx?l=2=kt47

ABOUT THE SURVEY

 - It should only take a few minutes to complete;
 - It is being conducted by Echo Research, an independent market research 
company,
   on behalf of the IANA services provider PTI (an affiliate of ICANN);
 - Your data confidentiality is assured. Echo Research is committed to 
protecting
   the confidentiality of all respondents, and in doing so will follow GDPR
   guidelines as detailed by EFAMRO, the European Research Federation, written 
for
   market research members of ESOMAR world research, and The Market Research
   Society (MRS).

If you have any questions about the survey, please contact Marilia Hirano at
marilia.hir...@iana.org

Thank you very much for your time,

Kim Davies, on behalf of our vendor,

Ruth David
Senior Account Executive
Echo Research
ruth.da...@echoresearch.com
http://www.echoresearch.com
___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

___
By submitting your personal data, you consent to the processing of your 
personal data for purposes of subscribing to this mailing list accordance with 
the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website 
Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
link above to change your membership status or configuration, including 
unsubscribing, setting digest-style delivery or disabling delivery altogether 
(e.g., for a vacation), and so on.

Call for Volunteers to Plan for Changing the Root Zone DNSSEC Algorithm

2022-11-16 Thread Kim Davies via root-dnssec-announce 
ICANN recently announced on open call for volunteers to join a design team that 
will develop a plan for changing the cryptographic algorithm used for the 
Domain Name System (DNS) root key signing key and zone signing key. Those who 
feel they are qualified are welcome to apply.

More information is at 
https://www.icann.org/en/announcements/details/icann-calls-for-volunteers-to-plan-for-changing-the-root-zone-dnssec-algorithm-03-11-2022-en

kim
--
Kim Davies
VP, IANA Services, ICANN
President, PTI
___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

___
By submitting your personal data, you consent to the processing of your 
personal data for purposes of subscribing to this mailing list accordance with 
the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website 
Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
link above to change your membership status or configuration, including 
unsubscribing, setting digest-style delivery or disabling delivery altogether 
(e.g., for a vacation), and so on.

Schedule announced for next KSK key generation

2023-03-07 Thread Kim Davies via root-dnssec-announce 
ICANN has announced the planned schedule for the next Root Zone KSK
generation, namely during the next KSK ceremony scheduled for 27 April
2023.

The full announcement is at

 with the full
text below:

The Internet Corporation for Assigned Names and Numbers (ICANN) is
pleased to announce that the Internet Assigned Numbers Authority (IANA)
will generate a new root zone key signing key (KSK) used by the Domain
Name System Security Extensions (DNSSEC). DNSSEC ensures that the
information received from the DNS about a domain name is authentic. It
helps make the Internet safer for its billions of users.

Generation of the new key is planned to occur during the 49th KSK
Ceremony on 27 April 2023. The key will be replicated to an alternate
facility in the third quarter of 2023. IANA plans to pre-publish the key
in the DNS, starting in January 2024. It will be held in standby for
about two years, during which ICANN will conduct an extensive outreach
campaign to ensure a seamless transition to the new key for the global
Internet community.

The first time a key changed, an event referred to as
a rollover, was in 2018, following several years of
consultation, design, and testing. To learn more, click here
. This rollover was
considered a success, and this generation of a new key is the first step
in the next iteration of that plan.

The security and stability of the DNS requires the capability to change
keys. Rollovers of the root KSK, which is the process of replacing
one key with another, exercise these mechanisms to ensure ongoing
operational readiness.

The new key will use the same cryptographic algorithm
and key size that is used currently. A separate project
 is
underway to design the process for changing the algorithm used to sign
the root zone which will inform future changes in this area.

You can subscribe to the ksk-rollover mailing list
 to join the public
discussions related to changing the root key signing key.

___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

___
By submitting your personal data, you consent to the processing of your 
personal data for purposes of subscribing to this mailing list accordance with 
the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website 
Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
link above to change your membership status or configuration, including 
unsubscribing, setting digest-style delivery or disabling delivery altogether 
(e.g., for a vacation), and so on.

Root Zone KSK HSM Update

2023-04-13 Thread Kim Davies via root-dnssec-announce 
Recently we became aware of a decision by the manufacturer of our hardware
security modules (HSMs) to cease production of the devices. Further, there is
no successor product as they are exiting that line of business[1].

The Keyper products we use were in part selected as they were the only viable
device that met FIPS 140-2 Level 4 certification, the highest certification
possible. They do not provide a function that would allow the private key to be
exported and imported into an alternative vendor’s device.

This news came after we announced last month that we are intending the generate
the next Root Zone KSK during our ceremony later this month. That key is planned
for production use from 2025-2029 approximately.

In light of the news of the HSMs, our plan is as follows:

* We are commencing a comprehensive analysis of the options available for
  KSK storage into the future. We understand that may involve adaptations
  to the security model, and once we’ve identified our preferred plan of
  action, we will consult on any implications of the new vendor selection.

* We plan to continue to generate the next KSK this year. We expect the need
  to switch HSMs may either alter the timeframe it is in production, or may
  pre-empt rolling to that key completely. However if we do not generate
  the next KSK, it limits the options available to us in the future.

* We are working with the vendor to ensure we have the best capability to
  continue to utilise the current HSMs for the next five years at least.
  This includes procuring additional spares and exploring options for
  reconditioning units with new batteries and the like.

We’re happy to answer any questions and we’ll keep you posted as circumstances
evolve. Obviously the HSM is at the heart of the security of the KSK so we will
be devoting significant resources to this development in the coming year.

[1] 
https://www.ultra.group/media/3747/20230306-end-of-life-notice-for-ultra-keyperplus.pdf

kim

Kim Davies
VP, IANA Services, ICANN
President, PTI

___
root-dnssec-announce mailing list
root-dnssec-announce@icann.org
https://mm.icann.org/mailman/listinfo/root-dnssec-announce

___
By submitting your personal data, you consent to the processing of your 
personal data for purposes of subscribing to this mailing list accordance with 
the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website 
Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
link above to change your membership status or configuration, including 
unsubscribing, setting digest-style delivery or disabling delivery altogether 
(e.g., for a vacation), and so on.