[dns-operations] HSM recommendations
Marc Groeneweg
Marc.Groeneweg at sidn.nl
Wed Sep 6 17:07:09 UTC 2017
All,
As stated before we are happy with our Luna’s. But to be quite honest, I am not sure if the HSM manufacturers are going in the same direction as we do as DNSSEC operators. Support of new algorithms are slow (ECDSA support is minimal, let’s not talk about the new Edwards curve algorithms). And also, I find their commitment towards DNSSEC much less, then was the case 5-6 years ago. So, this worries me.
I like the CrypTech project very much, but without our financial support from (like this) community, it won’t see a maturity as we have with the current HSM in the market today. Features like high availability, networked devices, and horizontal scaling for optimizing signing speeds are necessary to run our TLD business…
My 2 cents,
Marc
From: dns-operations <dns-operations-bounces at dns-oarc.net> on behalf of Georg Kahest <georg.kahest at internet.ee>
Date: Wednesday, 6 September 2017 at 15:41
To: Barry O'Donovan <barry+dnsops at islandbridgenetworks.ie>, dns-operations <dns-operations at dns-oarc.net>
Subject: Re: [dns-operations] HSM recommendations
On 09/06/17 09:27, Barry O'Donovan wrote:
This looks like an interesting project but I cannot recommend or advise
avoidance:
https://cryptech.is/
https://ripe69.ripe.net/presentations/136-141106.ripe-cryptech.pdf
I'd be interested in anyone's experience / thoughts on this.
Also the new emergence of cloud based services:
https://aws.amazon.com/cloudhsm/
aws cloudhsm used to be ran on Safenet hardware, i wonder what they use now
Q: Will my Safenet-based HSMs be retired?
No. While we believe the feature set and cost of the new CloudHSM service offer a far more attractive alternative, we will maintain AWS CloudHSM Classic for existing customers. Resources will be available shortly to assist in migrating from CloudHSM Classic to the new service.
https://aws.amazon.com/cloudhsm/faqs/
- Barry
Bill Woodcock wrote:
On Sep 5, 2017, at 12:25 PM, Brett <brettcarr at gmail.com><mailto:brettcarr at gmail.com> wrote:
It's been a long time since I looked at HSM's (my previous
experience is with Sun (PCI) and Thales (Network), but this was
all a few years ago now. What is popular these days and is there
any that anyone would particularly avoid or recommend.
We have a fleet of AEP Keypers, which we’ve been extraordinarily
happy with. They’ve worked exactly as advertised, without any
hiccups, and AEP’s support has been outstanding, when we’ve wanted
to do things outside-of-the-ordinary. I think we’re signing ~100
TLDs with them, been using them for about six years, just finished
a rotation out for their routine-service and battery replacement,
all of which went smoothly.
-Bill
_______________________________________________ dns-operations
mailing list dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170906/c16ac78a/attachment-0001.html>
More information about the dns-operations
mailing list