IANA locked itself out! Love the Internet

Internet’s safe-keepers forced to postpone crucial #DNSSEC root key signing ceremony – no, not a hacker attack, but because they can’t open a safe https://www.theregister.co.uk/2020/02/13/iana_dnssec_ksk_delay/

Internet’s safe-keepers forced to postpone crucial DNSSEC root key signing ceremony – no, not a hacker attack, but because they can’t open a safe
By Kieren McCarthy in San Francisco 13 Feb 2020 at 06:09

The organization that keeps the internet running behind-the-scenes was forced to delay an important update to the global network – because it was locked out of one of its own safes.

“During routine administrative maintenance of our Key Management Facility on 11 February, we identified an equipment malfunction,” explained Kim Davies, the head of the Internet Assigned Numbers Authority (IANA), in an email to the dozen or so people expected to attend a quarterly ceremony in southern California at lunchtime on Wednesday.

The malfunction “will prevent us from successfully conducting the ceremony as originally scheduled” on February 12, Davis explained. “The issue disables access to one of the secure safes that contains material for the ceremony.” In other words, IANA locked itself out.

< – >

update

On Feb 14, 2020,
The organization that keeps the internet running behind-the-scenes was forced to delay an important update to the global network – because it was locked out of one of its own safes.

As the _other_ FIPS 140-2 Level 4 DNSSEC platform operator, I have deep, deep sympathy for Kim in this, and absolutely understand that it could have happened to us just as easily.  I very much doubt that ICANN staff were in any way at fault in this.

We use the same model of IPS that ICANN does, and I believe the same super-clunky Kaba-Mas X10 electromechanical lock.  I can well believe that it got into a weird state and had to be drilled out.  The good news is that that’s completely orthogonal to all the DNSSEC processes, and just means the principals need to reconvene after the lock has been replaced.

-Bill

Leave a Reply

Your email address will not be published. Required fields are marked *