* Edward Lewis:

> This comes from the observation that the contents of the database
> sourcing the zone (whether a commercial-like database or a vi'd file)
> are more critical than the private key.  (If) They are sufficiently
> protected and I'll just keep the private key behind the same
> fortifications.  So, what does an HSM add?

I think the general idea is that if you have to edit your zone because
it was tampered with, chances are that nobody will notice (or
everybody will attribute it to routine maintenance).  If your key is
compromised and you have to replace it out of schedule, you might have
got some explaining to do. 8-)

Of course, this isn't a strong argument in favor of HSMs.

-- 
Florian Weimer                <fwei...@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to