FRESH

Hacker News

Passing the Torch – My Last Root DNSSEC KSK Ceremony as Crypto Officer 4

71 points by greyface-

by gorgoiler

0 subcomment

I enjoyed reading the ceremony log itself, a lot! It’s linked at the bottom of the article.
https://technotes.seastrom.com/assets/2025-11-23-passing-the...
Hypothetically, is there a way to know that those present were not under duress? I am guessing that duress is the only viable attack against the ceremony protocol — everyone present appears to play their part but, offscreen and visible only to the participants, are the villains and some hostages.

by shruubi

2 subcomments

Not sure how geographically diverse it is to have two "highly secure sites" on the same continent.

by 0x50000000

0 subcomment

KMF-East is the Gegenvorschlag, or counterproposed key-management for the resolution of TCP/IP ICANN domain certifications.
DNSSEC requires cycling existing TCR for AES-256 symmetric encryptions or leveraging localised key share cycles.

by teddyh

1 subcomments

He should probably update his “About” page on his blog to remove ”I sign the DNSSEC root”, then.