ICANN Resolutions » Contingency Plans for Key Signing Key Ceremony
Important note: The Board Resolutions are as reported in the Board Meeting Transcripts, Minutes & Resolutions portion of ICANN's website. Only the words contained in the Resolutions themselves represent the official acts of the Board. The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.
Whereas, ICANN, through its affiliate PTI, must regularly generate cryptographic signatures that allow the root zone to be properly authenticated using DNSSEC. This work is currently performed every three months using "key ceremonies" involving trusted community representatives from throughout the world, governed by the DNSSEC Practice Statement.
Whereas, in December 2019, a new strain of coronavirus, causing a disease referred to as COVID-19, emerged and on 30 January 2020 was declared by the World Health Organization (WHO) as a public health emergency of international concern. On 11 March 2020, the WHO publicly characterized COVID-19 as a pandemic.
Whereas, the COVID-19 pandemic challenges ICANN's ability to perform the key ceremonies according to policy, due to global travel restrictions and guidance from governments and health authorities to limit gatherings of people.
Whereas, in the face of the COVID-19 pandemic, ICANN has developed contingency plans with a graduated approach to holding the key ceremony, initially providing for maximum participation, and incrementally deciding upon alternatives if participation is not possible.
Whereas, there is sufficient uncertainty whether a subsequent ceremony can be held in an orderly manner later in the year, and there are options under consideration that will reduce this risk by holding a ceremony that produces cryptographic signatures for an extended period of time.
Resolved (2020.04.16.01), the Board finds the contingency plans to be in the best interests of ICANN and in the global public interest, and authorizes the President and CEO, or his designee(s), in consultation with the PTI President, to take all necessary steps to perform the key signing ceremonies as provided in the contingency plans.
The Root Zone Key Signing Key (Root KSK) is managed using a system that deliberately disperses a number of trusted roles both logically and geographically as a security measure that is designed to reduce risk of collusion between parties to perform unplanned activity. In normal operations, many of these trusted role-players need to converge at one of two ICANN-managed sites (key management facilities, or KMFs) to perform "ceremonies" where each performs their role to perform essential KSK procedures, typically once every three months.
Due to the 2020 Coronavirus pandemic, ICANN org staff's mobility has been curtailed and other companies that supply these trusted roles are enacting similar policies. Further, governments have implemented travel restrictions that have a similar effect of reducing mobility. There is a significant risk that these events reduce participation below minimums that harm KSK management. Without effective contingency plans, the inability to perform successful KSK operations would ultimately mean a widespread catastrophic failure of the DNS.
The Board's action on this matter is in-line with precedent concerning significant decisions around the operations of the DNSSEC key signing key that could have widespread community impact. In the past, the ICANN Board adopted a resolution authorizing proceeding with the first key-signing key rollover.
The Board's action today is to authorize the President and CEO, in consultation with the PTI President, to take all necessary steps to perform the key signing ceremonies as outlined in the following contingency plans. The ceremony management approach in the contingency plans contains two key components:
A graduated approach to holding the ceremony, initially providing for maximum participation, and incrementally deciding upon alternatives if participation is not possible.
Seek to implement a contingency to sign for additional quarters at the next ceremony, which will provide operational resilience against a period of anticipated high volatility.
The associated procedures and policies were updated to reflect these new procedures during a meeting of ICANN's Policy Management Authority on 6 April 2020. In particular, the DNSSEC Practice Statement1 (DPS) formally governs how KSK management is performed, and has been revised to allow for implementation of the presented options following proper authorization by management.
3.1 Planned scenarios for holding KSK Ceremony 41
The graduated approach consists of four options, ranked from most desirable to least desirable. Each has associated conditions and approval processes for moving to the next option:
3.1.1 Option A: Hold the April 2020 Ceremony as planned
The 41st KSK ceremony is currently scheduled for 23 April in Culpeper, Virginia. The ceremony can continue to be held that date according to normal procedure if the minimum number of attendees are present, including three trusted community representatives.
Key risks: Holding the ceremony as planned relies on international mobility of trusted community representatives which is currently severely compromised, and the future evolution of these restrictions is unpredictable. Staff mobility is also impacted domestically.
Proceeding to Option B: If in the judgment of the President of PTI the situation does not stabilize with a high-level of confidence the ceremony can be held as scheduled, Option B shall become the preferred option.
3.1.2 Option B: Hold the ceremony with only US-based personnel
Three of the seven trusted community representatives for the Culpeper location are based in the US, two on the east coast and one on the west coast. Only two of the three can attend the ceremony scheduled for the selected date, so this option would identify an alternate date that can be attended by all three.
Key risks: This option relies upon ongoing domestic mobility of trusted community representatives and staff. It also assumes necessary personnel do not get sick or otherwise cannot attend, as there is no safety margin for non-attendance.
Proceeding to Option C: If in the judgment of the President of ICANN the ceremony cannot be committed to with a high level of confidence or otherwise cannot be executed by May 8, Option C becomes the preferred option.
3.1.3 Option C: Hold the ceremony only with Los Angeles based personnel and minimum in-person participation
The KMFs were expressly designed to allow for staff-only ceremonies in a disaster recovery ceremony to ensure key ceremonies are held as needed. The minimum essential personnel could perform a key ceremony in our El Segundo KMF on short notice. This would, however, not have the required number of trusted community representatives present in-person.
Key risks: This option requires a minimum number of staff and contractors to be available (i.e. not incapacitated or restricted in movement). It breaches the standard expectations on participation in key ceremonies, but is considered an option within scope of the disaster recovery procedure.
Proceeding to Option D: If the ceremony cannot be conducted by June 19, Option D becomes the ultimate option. The Board of ICANN shall make the final determination to move to Option D.
3.1.4 Option D: Suspend signing of the DNS root zone
This is the final option if there is no conceivable way to activate the KSK and perform signing operations. There would need to be a massive education campaign at short notice to have resolver operators disable DNSSEC validation. There is a high risk of widespread outages as it is not possible to ensure global implementation, and high risk this will fatally compromise trust in DNSSEC in general as a technology.
This is considered highly unlikely, but nonetheless the final option. Without exercising the option, in the absence of a successful key signing ceremony, DNSSEC validation would be unsuccessful starting in July 2020.
3.2 Sign key material covering two calendar quarters
A standard key ceremony generates signatures that cover one calendar quarter (3 months). Generating signatures that cover additional calendar quarters in this key ceremony will provide greater resilience to root zone operations during a period of ongoing uncertainty. Should a prolonged threat materialize, this additional time will allow for consideration of long-term changes to the current key ceremony model if necessary. Based on the feedback from the trusted community representatives, we expect to generate signatures for three quarters, covering nine months. Such an action would relieve the need to hold a key signing ceremony for the remainder of 2020, therefore the next ceremony would be needed around February of 2021. The key material for the additional quarters would be held securely by ICANN and released to the Root Zone Maintainer in accordance with the normal schedule.
In preparing this approach, staff engaged with:
those scheduled to take part in the April 2020 ceremony;
the third-party auditor;
the root zone maintainer;
the vendors that support the key ceremonies;
the trusted community representatives and former ceremony attendees;
ICANN's Root Zone Evolution Review Committee, comprised of representatives of ICANN's various sponsoring organizations and advisory committees; and
the DNS-OARC operations mailing list; and
the KSK Rollover project mailing list.
General notice of this approach was also provided to our public announcement mailing list, comprised of around 700 subscribers interested in Root KSK management. Discussions focused on the viability of elements of the proposal, their impacts on operations and the control environment, and steps necessary to retain the high levels of trust that ICANN enjoys with respect to how it manages the KSK.
This proposal is not anticipated to have a material fiscal impact beyond normal operational costs associated with KSK management.
Public Consultation Requirements
This matter relates to IANA Naming Functions operations, performed by PTI under contract from ICANN. Procedures that are used in KSK operations must be approved by the Policy Management Authority, an internal ICANN Org committee. There is no formal public comment requirement, however, IANA staff will continue to consult with the trusted community representatives and other stakeholders to implement and adapt these plans. A communications strategy will be developed to support awareness of any operational changes and impacts.
The Board's action is within the public interest and within ICANN's mission as it will help to continue to ensure the stable and secure operation of the Internet's unique identifier systems. The inability to conduct the next key ceremony would result in widespread DNS resolution failure globally in July 2020 as DNSSEC would cease to function. The Board's action will help ensure that DNSSEC-enabled devices will be able to resolve any domain names.
The following risk considerations were factored into the Board's deliberations on this action.
8.1 Travel of attendees is interrupted
The primary risk that this plan is designed to address is the inability of attendees to attend the key ceremony. The suggested mitigation is the graduated approach to different options to hold the ceremony, up to and including holding a ceremony only with staff in the Los Angeles metropolitan area, that will not require air or interstate travel.
8.2 Facility operator suspends access to facility
The company that provides the facilities in which the KMFs are based may suspend access as part of their response to the pandemic. The suggested mitigation would be to advocate to their senior management, through trusted proxies if necessary, to make an exception given the requirement to hold this ceremony to support critical Internet infrastructure and Internet operation. ICANN has been in discussion with the US Government about issuance of special guidance should it be necessary to retain the access needed to perform the key ceremony.
8.3 Government suspends access to the facility, and/or constrains travel
Governments at different levels may impose restrictions on travel or gatherings that impede the ability to hold the ceremony. ICANN can advocate for exceptions to be made through the appropriate channels, as described in the previous section, noting the requirement to hold this ceremony to support critical Internet infrastructure and Internet operation. In particular, ICANN has existing relationships with governments that can be used to seek such exemptions.
8.4 Staff become ill or otherwise indisposed
The minimum essential personnel may be incapable of performing the ceremony because they themselves are ill, quarantined or otherwise unavailable. The primary mitigation is PTI staff and other support staff from ICANN Org have been implementing social distancing since the beginning of March 2020 to limit potential transfer of illness. Additionally, there is approximately a three-month window to traverse the options presented, with sufficient slack to allow the exact date within each option to be adjusted to allow for recovery and still be held.
8.5 Option C undermines community trust in KSK stewardship
Holding a ceremony without the standard protections, including third-party community witnesses physically in the KMF, may dilute trust in the management and stewardship of the KSK. To mitigate this, the ceremony would still be conducted to audit standards, under supervision of a third-party auditor, and all materials (including comprehensive audit footage and ceremony artefacts) would be posted online as is standard. Live streaming of the ceremony would be provided and enhanced to allow those not present to observe and interject with concerns or questions. TCRs and other stakeholders have been consulted on how to conduct an Option C ceremony so it is performed to their maximum satisfaction given the necessary constraints. We would strive to obtain buy-in from TCRs and other stakeholders that this would be the right compromise given the alternatives.