* Edward Lewis: > This comes from the observation that the contents of the database > sourcing the zone (whether a commercial-like database or a vi'd file) > are more critical than the private key. (If) They are sufficiently > protected and I'll just keep the private key behind the same > fortifications. So, what does an HSM add?
I think the general idea is that if you have to edit your zone because it was tampered with, chances are that nobody will notice (or everybody will attribute it to routine maintenance). If your key is compromised and you have to replace it out of schedule, you might have got some explaining to do. 8-) Of course, this isn't a strong argument in favor of HSMs. -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop