The global deployment of Domain Name System Security Extensions (DNSSEC) will achieve an important milestone on June 16, 2010 as ICANN hosts the first production DNSSEC key ceremony in a high security data centre in Culpeper, VA, outside of Washington, DC.

During the key ceremony the first cryptographic digital key used to secure the Internet root zone will be generated and securely stored.

Each key ceremony consists of a series of detailed procedures designed to allow the private key material for the root zone to be managed in a transparent yet secure manner. The goal is for the whole Internet community to be able to trust that the procedures involved were executed correctly, and that the private key materials are stored securely.

Security of the private key is important because it ensures that any signature made by that key is known to originate from a legitimate key ceremony, and not by an untrusted third party.

Each key ceremony will involve ICANN staff together with 14 volunteers known as Trusted Community Representatives (TCRs). Each TCR is a respected member of the technical Domain Name System (DNS) community in their home country. They are also unaffiliated to ICANN, VeriSign or the US Department of Commerce, and have been assigned a separate key management role within the ceremony. The involvement of these independent participants provides transparency of process — a successful key ceremony is only possible if the TCRs involved are satisfied that all steps were executed accurately and correctly. The ceremony and its associated systems and processes will also be subject to a SysTrust audit.

The deployment of DNSSEC in the root zone of the DNS provides benefits for those who publish information in the DNS, and for those who retrieve it. Top-Level Domain (TLD) managers and end-users alike will benefit from being able to publish and locate cryptographic key material (“trust anchors”) in the root zone. The root zone provides a consistent and convenient entry point to the security of the whole system.

A second key ceremony will take place in a second secure facility in Los Angeles in early July. By having two complete and independent facilities available, ICANN is able to ensure that key ceremonies can continue to occur in the event of an unexpected disaster in one location. Scheduled key ceremonies will take place four times annually, with two occurring in each location. Full deployment of DNSSEC in the root zone, using the key first generated in Culpeper, is scheduled to take place on July 15, 2010. Extensive documentation and related information about the project can be found at http://www.root-dnssec.org/.