[dns-operations] Destroying HSMs

Ted Cooper ml-dnsops13k at linuxwan.net
Thu Feb 1 00:50:39 UTC 2018

On 01/02/18 10:10, Paul Hoffman wrote:
> (It is rare that I get to create click-bait subject lines that are fully
> accurate...)
> At next weeks key ceremony, ICANN is also planning to physically destroy
> two HSMs that have already been put out of commission. The earlier step
> was to zeroize them using the HSM manufacturer's instructions, and this
> next step can be thought of as "physically zerioizing" them before
> removing them from the secure facility.
> Some people on this list have a love/hate relationship with HSMs and
> might enjoy watching the process of two of them being destroyed. The
> information about the ceremony, including the proposed script for
> destruction, are here:
> https://www.iana.org/dnssec/ceremonies/32

Favourite line:

"9. CA and Contractor performs the destruction of each HSM part repeatedly."

.. but with which tool! I can only imagine that an unspecified "Tool G"
is a 10 pound sledge hammer, although that does make it slightly harder
for "10. CA and IW1 collects all the pieces of the destroyed HSM parts,
then gives it to RKOS for proper disposal."

More information about the dns-operations mailing list