The Domain Name System — DNS — is the part of the internet that turns names you type, like example.com, into the numerical addresses computers actually use. Almost every secured connection you make depends on the directory being correct. If you cannot trust DNS, you cannot trust that you are talking to the bank you think you are talking to.

Since 2010, the global DNS root has been cryptographically signed using a system called DNSSEC. At the very top of that signing chain sits a single root key, the Root Key Signing Key. If it were ever lost, copied, or quietly subverted, the global authentication chain would collapse and have to be rebuilt by hand.

The job of safeguarding the key belongs to ICANN, the body that coordinates internet identifiers. The key itself never leaves a hardware security module. The hardware lives inside one of two specific secure facilities — one in El Segundo, California, the other in Culpeper, Virginia. The two sites mirror each other so that the loss of one does not end the system.

Four times a year, ICANN runs a Root Key Signing Ceremony to generate fresh signatures for the next quarter. The procedure is meticulous and almost theatrical. Participants are searched. Cameras film every corner. Biometric scanners verify identity. Sealed tamper-evident safes are opened in front of witnesses. The full script runs to dozens of pages and the ceremony lasts several hours. The whole event is recorded and the recordings are published.

The people who actually unlock the equipment are a small group called Trusted Community Representatives — fourteen volunteers in total, drawn from technical communities around the world. Seven of them are associated with each facility, and each holds a personal smart card. To activate the signing module at a given ceremony, at least three of the seven local cardholders must be present in person.

The bedrock of the internet's authentication is, in the end, a small group of strangers and a set of physical objects in a locked room.