ICANN Resolutions » Contingency Plans for 2021 Key Signing Key Ceremonies
Important note: The Board Resolutions are as reported in the Board Meeting Transcripts, Minutes & Resolutions portion of ICANN's website. Only the words contained in the Resolutions themselves represent the official acts of the Board. The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.
Whereas, ICANN, through its affiliate PTI, must regularly generate cryptographic signatures that allow the root zone to be properly authenticated using DNSSEC. This work is currently performed every three months using "key signing ceremonies" involving trusted community representatives from throughout the world, governed by the DNSSEC Practice Statement.
Whereas, in April 2020, the Board resolved to authorize contingency plans to hold these ceremonies in a modified format in response to the challenges posted by the COVID-19 pandemic.
Whereas, the COVID-19 pandemic continues to challenge ICANN's ability to perform the key ceremonies according to policy, due to global travel restrictions and guidance from governments and health authorities to limit gatherings of people.
Resolved (2020.12.17.04), the Board finds the contingency plans continue to be in the best interests of ICANN and in the global public interest, and authorizes the President and CEO, or his designee(s), in consultation with the PTI President, to take all necessary steps to perform the key signing ceremonies as provided in the contingency plans during 2021.
The Root Zone Key Signing Key (Root KSK) is managed using a system that deliberately disperses a number of trusted roles both logically and geographically as a security measure that is designed to reduce risk of collusion between parties to perform unplanned activity. In normal operations, many of these trusted role-players need to converge at one of two ICANN-managed sites (key management facilities, or KMFs) to perform "ceremonies" where each performs their role to perform essential KSK procedures, typically once every three months.
Due to the Coronavirus pandemic, ICANN org staff's mobility has been curtailed and other companies that supply these trusted roles have enacted similar policies. Further, governments have implemented travel restrictions that have a similar effect of reducing mobility. There is a significant risk that these factors continue to impede the ability to hold key signing ceremonies in a normal manner. Without effective contingency plans, the inability to perform successful KSK operations would ultimately mean a widespread catastrophic failure of the DNS.
The Board's action on this matter is in-line with decision making it took in April 2020 at the beginning of the pandemic. This resolution seeks to extend the contingency plans beyond the period originally envisaged.
The Board's action today is to authorize the ICANN President and CEO, in consultation with the PTI President, to continue to take all necessary steps to perform the key signing ceremonies as outlined in the following contingency plans. The ceremony management approach in the contingency plans continues to adapt ceremony operations to facilitate maximum safe participation and deciding upon alternatives where participation is not possible. It also provides for additional operational resiliency by performing signing operations for additional calendar quarters until ceremony operations can safely resume in their normal format.
The associated procedures and policies allow for operations in this format following adjustments adopted by ICANN's Policy Management Authority on 6 April 2020. In particular, the DNSSEC Practice Statement1 (DPS) formally governs how KSK management is performed, and has been revised to allow for implementation of the presented options following proper authorization by management.
3.1 KSK Ceremony 42 (2021Q1)
Staff has taken lessons learned planning and conducting KSK Ceremony 41, improved details based upon community feedback, and proposes to perform KSK Ceremony 42 in a similar manner which satisfies the broader Internet community and our DPS requirements. The ceremony would be held in the first quarter of 2021, with prospective attendees to be polled on the precise date upon adoption of this resolution.
3.1.1 Graduated set of options for ceremony performance
As with the 41st KSK ceremony held in April 2020, the final configuration of the ceremony will be held based on an assessment of the viability of a graduated set of options. These options provide for alternate mixes of personnel based on the nature of the restrictions around the time the ceremony is due to be held. In all cases, the ceremonies continue to be held in a public and transparent manner, with the ability for community members to participate remotely to assure confidence in how the ceremony is conducted. Compensative controls are effectively implemented to provide assurances regarding the custody of all secure elements used in the ceremony.
3.1.2 Signing for additional calendar quarters
The coronavirus pandemic is expected to continue to significantly impact operations well into 2021. To limit the impact on the ability to hold quarterly key ceremonies, the plan again provides for generating signatures for an extended nine month period. This relieves the need to hold a subsequent key signing ceremony until the fourth quarter of 2021.
3.2 KSK Ceremony 43 (2021Q4)
A successfully held ceremony in the first quarter of 2021, which generates nine months of signatures, would require the subsequent key ceremony to be held in the fourth quarter of 2021.
Staff will continue to monitor the pandemic and prepare for all possible scenarios for this ceremony in accordance with the graduated approach. Should widespread vaccination programs prove to be successful, and international travel limitations be relaxed, it is conceivable a late-2021 ceremony could be conducted in its normal format with international in-person participation.
The original contingency plan was developed in early 2020 through wide community engagement, including expected ceremony participants, the third-party auditor, the root zone maintainer, the vendors that support the key ceremony, the trusted community representatives and former ceremony attendees, ICANN's Root Zone Evolution Review Committee, and a number of relevant industry mailing lists. Subsequent to the April 2020 ceremony, the feedback received was universally positive that the modified format met the objectives and retained community trust in KSK management.
Many of these same parties have been apprised of our intention to extend the contingency plan into 2021 and have supported these efforts.
This proposal is not anticipated to have a material fiscal impact beyond normal operational costs associated with KSK management.
Public Consultation Requirements
This matter relates to IANA Naming Functions operations, performed by PTI under contract from ICANN. Procedures that are used in KSK operations must be approved by the Policy Management Authority, an internal ICANN Org committee. There is no formal public comment requirement, however, IANA staff will continue to consult with the trusted community representatives and other stakeholders to implement and adapt these plans.
The Board's action is within the public interest and within ICANN's mission as it will help to continue to ensure the stable and secure operation of the Internet's unique identifier systems. The inability to conduct key signing ceremonies in a timely manner would result in widespread DNS resolution failure globally as DNSSEC would cease to function. The Board's action will help ensure that DNSSEC-enabled devices will be able to resolve any domain names.
The following risk considerations were factored into the Board's deliberations on this action.
8.1 Travel of attendees is interrupted
The primary risk that this plan is designed to address is the inability of attendees to safely attend the key ceremony. The suggested mitigation is the graduated approach to different options to hold the ceremony, up to and including holding a ceremony only with staff in the Los Angeles metropolitan area, that will not require air or interstate travel, and with safety precautions for the individual attendees.
8.2 Facility operator suspends access to facility
The company that provides the facilities in which the KMFs are based may suspend access as part of their response to the pandemic. The suggested mitigation would be to advocate to their senior management, through trusted proxies if necessary, to make an exception given the requirement to hold this ceremony to support critical Internet infrastructure and Internet operation. ICANN has been in discussion with the local and national authorities about issuance of special guidance should it be necessary to retain the access needed to perform the key ceremony.
8.3 Government suspends access to the facility, and/or constrains travel
Governments at different levels may impose restrictions on travel or gatherings that impede the ability to hold the ceremony. ICANN can advocate for exceptions to be made through the appropriate channels, as described in the previous section, noting the requirement to hold this ceremony to support critical Internet infrastructure and Internet operation. In particular, ICANN has existing relationships with governments that can be used to seek such exemptions.
8.4 Staff become ill or otherwise indisposed
The minimum essential personnel may be incapable of performing the ceremony because they themselves are ill, quarantined or otherwise unavailable. The primary mitigation is PTI staff and other support staff from ICANN Org have been implementing social distancing since the beginning of March 2020 to limit potential transfer of illness. Additionally, there is approximately a three-month window to traverse the options presented, with sufficient slack to allow the exact date within each option to be adjusted to allow for recovery and still be held. There is also depth in staffing such that essential roles can be performed by different personnel if needed.