[dns-operations] HSM recommendations

Marc Groeneweg Marc.Groeneweg at sidn.nl
Wed Sep 6 17:07:09 UTC 2017


All,

As stated before we are happy with our Luna’s. But to be quite honest, I am not sure if the HSM manufacturers are going in the same direction as we do as DNSSEC operators. Support of new algorithms are slow (ECDSA support is minimal, let’s not talk about the new Edwards curve algorithms). And also, I find their commitment towards DNSSEC much less, then was the case 5-6 years ago. So, this worries me.

I like the CrypTech project very much, but without our financial support from (like this) community, it won’t see a maturity as we have with the current HSM in the market today. Features like high availability, networked devices, and horizontal scaling for optimizing signing speeds are necessary to run our TLD business…

My 2 cents,
Marc

From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of Georg Kahest <georg.kahest at internet.ee>
Date: Wednesday, 6 September 2017 at 15:41
To: Barry O'Donovan <barry+dnsops at islandbridgenetworks.ie>, dns-operations <dns-operations at dns-oarc.net>
Subject: Re: [dns-operations] HSM recommendations

On 09/06/17 09:27, Barry O'Donovan wrote:

This looks like an interesting project but I cannot recommend or advise

avoidance:



https://cryptech.is/

https://ripe69.ripe.net/presentations/136-141106.ripe-cryptech.pdf



I'd be interested in anyone's experience / thoughts on this.





Also the new emergence of cloud based services:

https://aws.amazon.com/cloudhsm/
aws cloudhsm used to be ran on Safenet hardware, i wonder what they use now

Q: Will my Safenet-based HSMs be retired?

No. While we believe the feature set and cost of the new CloudHSM service offer a far more attractive alternative, we will maintain AWS CloudHSM Classic for existing customers. Resources will be available shortly to assist in migrating from CloudHSM Classic to the new service.
https://aws.amazon.com/cloudhsm/faqs/



 - Barry





Bill Woodcock wrote:

On Sep 5, 2017, at 12:25 PM, Brett <brettcarr at gmail.com><mailto:brettcarr at gmail.com> wrote:



It's been a long time since I looked at HSM's (my previous

experience is with Sun (PCI) and Thales (Network), but this was

all a few years ago now. What is popular these days and is there

any that anyone would particularly avoid or recommend.

We have a fleet of AEP Keypers, which we’ve been extraordinarily

happy with.  They’ve worked exactly as advertised, without any

hiccups, and AEP’s support has been outstanding, when we’ve wanted

to do things outside-of-the-ordinary.  I think we’re signing ~100

TLDs with them, been using them for about six years, just finished

a rotation out for their routine-service and battery replacement,

all of which went smoothly.



-Bill













_______________________________________________ dns-operations

mailing list dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>

https://lists.dns-oarc.net/mailman/listinfo/dns-operations

dns-operations mailing list

https://lists.dns-oarc.net/mailman/listinfo/dns-operations

_______________________________________________

dns-operations mailing list

dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>

https://lists.dns-oarc.net/mailman/listinfo/dns-operations

dns-operations mailing list

https://lists.dns-oarc.net/mailman/listinfo/dns-operations


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170906/c16ac78a/attachment-0001.html>


More information about the dns-operations mailing list