That is in case of an emergency. If the room needs to be evacuated in case of an emergency, you can open the door from inside without using a badge and pin. In that case, the sound alarm will be activated.
I understand the reasoning but was wondering if this has been part of the threat model to see if there is enough mitigating controls for protecting the sensitive material already accessible as part of this process when people leaves upon hearing the alarm. For example, in case of a fake alarm, you may have both safe boxes open and only protection may be the room door which is protected only by badge, which would completely invalidate the reason why you have safe boxes in there. Even, I would ask if the badge protected door is also fail-safe from outside in case of such a building alarm.
@@RamiSIK-zq4cx Firstly, there's only ever one safe open at a time. If an alarm sounded while either of these safes were open, it would be a simple matter to close and lock the safe before exiting the safe room. One would have to get past two other doors with progressively tighter requirements to gain entry to this third door to the safe room. Secondly, the access control system authorizing the badges of these doors operates independently of the safe, unless the safe door is open, in which all badge swipes are disabled until the safe door is closed again. If you check the ceremony scripts, it asks the CA to verify the "wait" light is off once the door is closed. That is the reason. They would not be able to badge out of the room unless sensor of the safe door is closed. Finally, independent of all that, there are two separate surveillance systems monitoring the room 24/7/365. Many overlapping controls would need to be defeated in order to access the room without authorization, and to access the room without triggering any alerts is extremely unlikely.
This has been an issue that's becoming more and more relevant as over time the geopolitical climate is taking a new shape. I suggest the United Nations building in Geneva, Switzerland to be the new designated headquarters.
I noticed the camera angle is different from the last ceremony. Is there footage of someone entering tier 5 to adjust the camera, or did that happen off camera?
Routine maintenance occurs in the key management facilities between ceremonies. The audit cameras themselves were replaced with new units a week prior, which would explain the slightly different camera angle. These cameras also use dual recording to local SD cards which are sealed and retained for audit purposes, and physically removing and installing SD cards can also inadvertently adjust the camera. We do not post footage every time we enter these facilities, however any activity that require opening either safe is scripted, recorded, and at minimum posted on the IANA ceremonies webpage and may be live streamed as well.
Out of curiosity, could you share who your videographer/AV person is? I'd love to hire them for a key ceremony we're planning in CA in the next few months
Hello. We have our cameras and streaming equipment permanently installed in the key management facility. Maintenance and operations are documented and performed by the RKOS staff. We are happy to share information if you are interested in our setup.
At 1:13:10 during OP2 or OP3 audit. Serial communication is corrupted, few characters are missing. Fortunately not critical (the internal clock is not correct anyway). Please use better and shorter cable tho. This caused issues at 2:03:00, in few places. Including Serial Number readout. The staff incorrectly say this is a bug in a firmware, where in fact it is a fault of a cable.
After the ceremony, thorough testing took place where we were able to reproduce the issue with a different HSM of the same exact variety, and our initial assumption that it had to do with the HSM firmware ended up being completely wrong, but it's also not a cable issue. Further testing with our testing laptop and HSM allowed us to isolate the issue to the updated version of STTY’s translation of the RS232 controller. We consistently receive a random 1-2% error rate in the captured HSM output. Testing suggests the previous version of STTY included with the former version of COEN (our ceremony operating system) was performing error correction more optimally with our former hardware combination. Multiple USB to serial port adapters utilizing the STDI chipset were tested to circumvent the laptop’s onboard RS232 controller and serial port. We ran several diff comparisons of the captured output with consistent results, showing only anticipated character changes such as the HSM reset count and timestamps. We plan to return to using USB to serial port adapters in future KSK ceremonies. USB to serial port adapters were used with the previous generations of ceremony laptops in KSK ceremonies from 2010-2018 without issue. Hope this clears things up.
@@iana-org Hi IANA. Thanks for the response. That makes sense, serial could be finicky. It is weird that the built in serial was not cooperating. Maybe some flow control lines were not handled correctly, or driver has issues, all possible. Thanks for testing, and finding a hopefully secure workaround.
@@movax20h It really appears to just be the way the RS232 controller built into the laptop for that built-in serial port was doing the translation with the new version of STTY. It was a pretty deep dive down the rabbit hole to make that determination. At KSK Ceremony 50 we successfully used the USB to serial adapter combined with the same version of STTY without any issues, so we don't anticipate any issues of this variety to arise again.
How does doing "head -c ...." check on SD card at 49:05, verify that the bootloader and root is correct? That does not feel right to me. EDIT: My bad. This is correct, and actually necassary, due to SD card (sda) being bigger in total than the content on relevant partitions or the CD. "head -c ...." does verify the bootloader, partition tables and their content. All good.
Fantastic, thanks for letting the MKBHD guys be your guests. The podcast they put together was great and I learned a lot about what you do and how all this works. Thank you.
Can someone explain to me how they can update the Digital certificates of the DNS zone servers if the machine they do it on is air gapped? At which step the new certificates are actually deployed?
The cryptographic signatures generated during the ceremony are exported on a USB flash drive (the "HSMFD" in the script) and taken out of the facility at the end of the ceremony. Then during the daily production of the root zone they are inserted as part of the zone signing process.
On the Dec 1st 2023 episode, Their Spotify wrapped said this was their most viewed episode. Went to play ICANN and the 7 keys of the internet, and they talked about this. So I came down to TH-cam lol
The fact that these are live-streamed is so cool! The amount of transparency is impressive.
The people who are involved in this live very great i think by looking how they are doing it
Step 1.4, if alarms sounds, just leave. Isn't it a vulnerability by itslef in this process?
That is in case of an emergency. If the room needs to be evacuated in case of an emergency, you can open the door from inside without using a badge and pin. In that case, the sound alarm will be activated.
It's also basic code for buildings. One has to be able to exit any building in an emergency situation.
I understand the reasoning but was wondering if this has been part of the threat model to see if there is enough mitigating controls for protecting the sensitive material already accessible as part of this process when people leaves upon hearing the alarm. For example, in case of a fake alarm, you may have both safe boxes open and only protection may be the room door which is protected only by badge, which would completely invalidate the reason why you have safe boxes in there. Even, I would ask if the badge protected door is also fail-safe from outside in case of such a building alarm.
@@RamiSIK-zq4cx Firstly, there's only ever one safe open at a time. If an alarm sounded while either of these safes were open, it would be a simple matter to close and lock the safe before exiting the safe room. One would have to get past two other doors with progressively tighter requirements to gain entry to this third door to the safe room. Secondly, the access control system authorizing the badges of these doors operates independently of the safe, unless the safe door is open, in which all badge swipes are disabled until the safe door is closed again. If you check the ceremony scripts, it asks the CA to verify the "wait" light is off once the door is closed. That is the reason. They would not be able to badge out of the room unless sensor of the safe door is closed. Finally, independent of all that, there are two separate surveillance systems monitoring the room 24/7/365. Many overlapping controls would need to be defeated in order to access the room without authorization, and to access the room without triggering any alerts is extremely unlikely.
When is the next actual KSK change to happen? (Not the ZSK)
The KSK rollover is tentatively scheduled for October 11, 2026.
DNSSEC has a single point of failure in the US Government, as all ceremonies happen on US Soil. Please fix.
This has been an issue that's becoming more and more relevant as over time the geopolitical climate is taking a new shape. I suggest the United Nations building in Geneva, Switzerland to be the new designated headquarters.
I noticed the camera angle is different from the last ceremony. Is there footage of someone entering tier 5 to adjust the camera, or did that happen off camera?
Routine maintenance occurs in the key management facilities between ceremonies. The audit cameras themselves were replaced with new units a week prior, which would explain the slightly different camera angle. These cameras also use dual recording to local SD cards which are sealed and retained for audit purposes, and physically removing and installing SD cards can also inadvertently adjust the camera. We do not post footage every time we enter these facilities, however any activity that require opening either safe is scripted, recorded, and at minimum posted on the IANA ceremonies webpage and may be live streamed as well.
@@iana-org Makes sense, thanks for the reply!
"В очередной церемонии подписания ключей Root KSK Ceremony приняли участие Фантомас, Доктор Кто и Мистик".
Out of curiosity, could you share who your videographer/AV person is? I'd love to hire them for a key ceremony we're planning in CA in the next few months
Hello. We have our cameras and streaming equipment permanently installed in the key management facility. Maintenance and operations are documented and performed by the RKOS staff. We are happy to share information if you are interested in our setup.
4:11:46 exactly the kind of reference i'd expect :)
this is the nerdiest thing I've ever seen. Respect for maximum transparency
I concur!
Deberían de recibir un mejor reconocimiento ustedes sostienen internet 😺
Nice work guys 😊
At 1:13:10 during OP2 or OP3 audit. Serial communication is corrupted, few characters are missing. Fortunately not critical (the internal clock is not correct anyway). Please use better and shorter cable tho. This caused issues at 2:03:00, in few places. Including Serial Number readout. The staff incorrectly say this is a bug in a firmware, where in fact it is a fault of a cable.
After the ceremony, thorough testing took place where we were able to reproduce the issue with a different HSM of the same exact variety, and our initial assumption that it had to do with the HSM firmware ended up being completely wrong, but it's also not a cable issue. Further testing with our testing laptop and HSM allowed us to isolate the issue to the updated version of STTY’s translation of the RS232 controller. We consistently receive a random 1-2% error rate in the captured HSM output. Testing suggests the previous version of STTY included with the former version of COEN (our ceremony operating system) was performing error correction more optimally with our former hardware combination. Multiple USB to serial port adapters utilizing the STDI chipset were tested to circumvent the laptop’s onboard RS232 controller and serial port. We ran several diff comparisons of the captured output with consistent results, showing only anticipated character changes such as the HSM reset count and timestamps. We plan to return to using USB to serial port adapters in future KSK ceremonies. USB to serial port adapters were used with the previous generations of ceremony laptops in KSK ceremonies from 2010-2018 without issue. Hope this clears things up.
@@iana-org Hi IANA. Thanks for the response. That makes sense, serial could be finicky. It is weird that the built in serial was not cooperating. Maybe some flow control lines were not handled correctly, or driver has issues, all possible. Thanks for testing, and finding a hopefully secure workaround.
@@movax20h It really appears to just be the way the RS232 controller built into the laptop for that built-in serial port was doing the translation with the new version of STTY. It was a pretty deep dive down the rabbit hole to make that determination. At KSK Ceremony 50 we successfully used the USB to serial adapter combined with the same version of STTY without any issues, so we don't anticipate any issues of this variety to arise again.
How does doing "head -c ...." check on SD card at 49:05, verify that the bootloader and root is correct? That does not feel right to me. EDIT: My bad. This is correct, and actually necassary, due to SD card (sda) being bigger in total than the content on relevant partitions or the CD. "head -c ...." does verify the bootloader, partition tables and their content. All good.
this is sooo cool . Thank you ICANN for what you do, and thank you MKBHD team
This is so facinating. Thank You <3
Still the most transparent organisation on earth
thanks for what you do
Peep the live chat replay
What the final key encryption is used for, what exactly does it encrypt?
banger
Big up
This is amazing as ASMR
感觉很严谨的样子!
Hey, what language is that?!
@@TheFunnyDictator unicode
What an honor and privilege to handle such a task.
Fantastic, thanks for letting the MKBHD guys be your guests. The podcast they put together was great and I learned a lot about what you do and how all this works. Thank you.
what happens someone die ?
We own . pizza FTW
Is that an Built for purpose application specific OS?
Can someone explain to me how they can update the Digital certificates of the DNS zone servers if the machine they do it on is air gapped? At which step the new certificates are actually deployed?
The cryptographic signatures generated during the ceremony are exported on a USB flash drive (the "HSMFD" in the script) and taken out of the facility at the end of the ceremony. Then during the daily production of the root zone they are inserted as part of the zone signing process.
@@kijeda thank you so much!
This must be the most boring job ever
59:18 of course it's Ohio, what else could it be
It's Debian, fuuuck
Thanks for all the work you do IANA!!
mkbHD baby❤
Waveform Podcast brought me here! Shoutout to David and the team
Gentleman at 8:08: Smash that like button. We have indeed, kind sir. ICANN, thank you for all that you do.
WAVEFORM/MKBHD sent me here. Super cool.
I want this job. It looks so fun!
7:53 “last but not least DAVID” 🙌😤🌋
okay this makes me happy , a safe internet
I'm glad I learned about this! Thanks WVFRM team <3
You are Sri Lankan right?
@@ravifleming Yes! Was also happy to see a Sri Lankan in the session by random :)
this is everything i could want from an ICANN key signing ceremony
8:07 Subscribe to MKBHD! :)
for anyone intrested, the MKBHD crew introduces itself at 7:21!
Interactive music by Vayne Sil starts playing
@@Leanzazzy 20 Syl ( It's a french artist)
MKBHD ❤️
For channel regulars wondering why this particular video is blowing up, look no further than the MKBHD guys😅
You got the link to the video ? I want to see it :)
On the Dec 1st 2023 episode, Their Spotify wrapped said this was their most viewed episode. Went to play ICANN and the 7 keys of the internet, and they talked about this. So I came down to TH-cam lol
Fuck whoever those people are because I found this with a search
Shoutout to waveform podcast 🤣
David is insanely cool