[dns-operations] HSM recommendations

Richard Lamb richard.lamb at icann.org
Fri Sep 8 09:45:21 UTC 2017


George is right.  I understand that unless the HSMs are KMIPS compliant, in addition to enabling the wrap/unwrap, you cant export/import across vendors.
I am reaching here, but I think this makes double signing rollover harder.  But I have always been a proponent of double DS/pre-gen rollover.

Only other thing I can add to this thread is that if cost is a concern Ive used the German smartcardhsm smart card (~$15) which is one of the very few smartcards that have export/import wrap/unwrap capability to allow you to create backups.
Haven tried import/export to other HSMs but card is well supported by OpenSC. Sample ceremony script here: https://www.co.tt/eeint/ee-uae-dnssec-KC-demo-main.pdf  The smartcard (ksk) is only used to sign the dnskey rrset offline with zsks in s/w.  So speed of hsm is not an issue.

-Rick


> -----Original Message-----
> From: dns-operations [mailto:dns-operations-bounces at dns-oarc.net] On
> Behalf Of George Michaelson
> Sent: Friday, September 8, 2017 2:36 AM
> To: dns-operations <dns-operations at dns-oarc.net>
> Subject: Re: [dns-operations] HSM recommendations
> 
> Others may have said, will say this better, but a long-term issue to keep
> aware of, is that most HSM I've interacted with offer 'not beyond the
> grandparent' rules: you can move tokens, devices across the generation but
> only within the child-parent-grandparent space or maybe even less.
> 
> Old keystore hardware doesn't fit in new keystore slots, but its not just
> electromechanical. I can't decide if this is a sell thing, or a risk thing.
> 
> If you spec, buy and operate a LUNA a certain way, you never get key export
> to another family of HSM. Its factory set, so you have to say in advance you
> want key wrap/export feature. Wipe mandatory.
> 
> -G
> 
> On Thu, Sep 7, 2017 at 11:32 PM, Rubens Kuhl <rubensk at nic.br> wrote:
> >
> > On Sep 5, 2017, at 4:25 PM, Brett <brettcarr at gmail.com> wrote:
> >
> > It's been a long time since I looked at HSM's (my previous experience
> > is with Sun (PCI) and Thales (Network), but this was all a few years
> > ago now. What is popular these days and is there any that anyone would
> > particularly avoid or recommend.
> >
> >
> >
> > I wouldn't say it's popular, but keeps the TLD I work for happy:
> > https://www.kryptus.com/en-home
> >
> >
> >
> > Rubens
> >
> >
> >
> >
> >
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-operations mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations




More information about the dns-operations mailing list