On Thu, Sep 06, 2018 at 02:34:12PM -0300, Hugo Salgado-Hernández wrote: > Hi Mukund. > I talked about this to Davey in Montreal. There's an implementation > in github[1] and presentations in OARC[2] and ICANN[3].
Aha so you're the original source :) > I'm not sure if its being used right now in a live zone, but certainly > in labs and testing. There's been some interests with academic > institutions, but don't think they're ready yet. > > We've been trying to focus this technology as a "poor-man" HSM, as > having similar security features without buying an expensive HW. > But I think the root and similar high-value zones will benefit for > having an split of the private key AND the fact of not needing a > "root key ceremony" to sign, because you can sign remotely with > each piece of the private key, and transmit the "signature pieces" > to a central place. > > Hugo > > [1] https://github.com/niclabs/docker/tree/master/tchsm > [2] > <https://indico.dns-oarc.net/getFile.py/access?contribId=22&sessionId=3&resId=1&materialId=slides&confId=20> > [3] > <http://buenosaires48.icann.org/en/schedule/wed-dnssec/presentation-dnssec-cryptographic-20nov13-en> So this's implemented as a PKCS 11 provider.. interesting. In my mind I was thinking along the lines of updates to dnssec-keygen + dnssec-signzone + intermediate RRSIG representation using new RR type + zone transfers to share intermediate effects. Mukund _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
