At 13:03 +0200 4/21/09, Shane Kerr wrote:
The whole idea of offline storage for the zone itself is so fantastical
An artifact in the DNSSEC concept stemming from the days when DNSSEC was discussed in the Security Area of the IETF. Fantastical is a good word.
It might be more useful to recommend HSM - or at least encryption - for private key data. I didn't see any references to this, and AFAIK everybody does it (or feels guilty for not doing it).
I can't rationalize a justification of HSMs for DNSSEC. I mean, outside of "doing it because we can say we do it" I think it is overkill (in some environments), and feel more guilty spending money on something I see as window dressing.
This comes from the observation that the contents of the database sourcing the zone (whether a commercial-like database or a vi'd file) are more critical than the private key. (If) They are sufficiently protected and I'll just keep the private key behind the same fortifications. So, what does an HSM add?
(Really, I'd like to know...;)) -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 Getting everything you want is easy if you don't want much. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
