On 2026-02-20 09:03 -08, Wes Hardaker <[email protected]> wrote: > Peter Thomassen via Datatracker <[email protected]> writes: > >> This document describes the issues surrounding the handling of DNSSEC >> private keys in a DNSSEC signer. It presents operational guidance in >> case a DNSSEC private key becoming inoperable. > > In general I favor adopting this as it provides some guidance that is > certainly needed for helping people recover in emergent situations. > > Having said that, I do take issue with the scope vs the text. The > introduction states: > > The private key is typically kept secret by using Hardware Security > Modules (HSMs). > > This is definitely not typical. It may be typical for TLDs (and the > root, which is out of scope) and maybe some other high-value zones. But > of the 24.8M domains signed today, I'd argue a very very very low > percentage makes use of HSMs.
Agreed. > > So either: the document should clearly state this is only for zones that > make use of HSMs or similar technologies, or should be framed more > generically to benefit anyone that loses their key regardless of how. > I'd opt for the second option. The intention was to document how to recover from key loss, regardless of how. The point why we are bringing HSMs up is that sooner or later someone will mention HSMs as a solution to keep privat keys secure. Which is what they do, they keep your keys confidential. But they do not solve the availability (i.e. backup) problem, or solve it in a way that's super complicated. This is a general statement about HSMs, it has nothing to do with DNS. Now, the upshot of DNS is, you don't actually need backups of your private keys, or super complicated backups. This draft tells you how to recover your keys when your backup strategy fails: | Unlike the private key, a DNSSEC signed zone can be considered public | data with its integrity protected by signatures. Signed zones can be | added to the normal, established backup procedures. | | The rest of the document describes procedures on how to restore | DNSSEC signing functionality with only a backup of the signed zone | available. I guess we have to trim the text before this ^ considerably. > > -- > Wes Hardaker > Google > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- In my defence, I have been left unsupervised. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
