- LACNIC participated in the 57th DNS Root Key Signing Ceremony, which focused on signing the current ZSK and managing the KSK rollover.
- A new tool was introduced to check resolver readiness, as concerns remain about awareness and implementation ahead of the 2026 deadline.
What happened: LACNIC joins key signing ceremony 57
At the end of April 2025, the 57th DNS Root Key Signing Ceremony was held at the secure facility on the east coast of the United States. LACNIC participated in the event through the presence of one of its representatives acting as a Cryptographic Officer, alongside officials from other regional internet organisations. The ceremony followed a routine process to sign the current Zone Signing Key (ZSK) and to continue preparations for the upcoming Key Signing Key (KSK) rollover.
A new version of the operating system and HSM control software (coen v2.0.1) was used, marking a technical update to the platform. According to those involved, this instance proceeded without any exceptions to the planned script. Currently, the DNS root zone contains two KSKs (20326 and 38696) and two ZSKs, including a new one scheduled to appear by the end of June. The new KSK is already reportedly accepted by over 90% of resolvers.
Also Read: LACNIC works to grow internet resources in Latin America
Also Read: LACNIC 43 focuses on routing security and IPv6 at Bogotá event
Why it’s important
The root key signing ceremony plays a critical role in maintaining the global DNSSEC trust chain. While the process is routine, it underpins the technical integrity of the internet’s naming system. LACNIC’s participation reflects the shared responsibility of Regional Internet Registries in DNS governance, although the ceremony itself receives limited public attention.
Given that the internet continues to rely on the stability of DNS infrastructure, the complexity and opacity of key management processes raise concerns about transparency and operational redundancy.
This ceremony took place during the ongoing KSK rollover cycle, which requires resolver operators and software vendors to update their systems to trust the new key. The presenter from LACNIC later discussed this topic during the LACNIC43 Technical Forum, particularly highlighting the 2026 deadline for resolver compliance.
A test tool based on RFC8509 was also introduced to assess resolver readiness, although it remains in beta. These developments indicate that while the cryptographic process is functioning, awareness and implementation at the edge of the network may lag behind. Without sustained communication and proactive monitoring, key rollovers may risk introducing disruption. The broader question remains whether these essential security events are adequately understood and supported across the operational community.
