[dns-operations] .de DNSSEC issue root cause
Joe Abley
jabley at strandkip.nl
Fri Jun 12 08:48:12 UTC 2026
On 12 Jun 2026, at 10:20, Klaus Malorny <Klaus.Malorny at knipp.de> wrote:
>
> On 11.06.26 20:50, Mukund Sivaraman wrote:
>> The article in German has an addendum (English translation by Google
>> Translate):
>> "Addendum from May 11, 2026: There was no "keytag" collision. Rather,
>> instead of generating one key pair and storing it on three HSMs, the
>> software generated three different key pairs – one for each HSM. All
>> three HSMs were used for signing, but only one had a key that matched
>> the (pre-)published DNSKEY RR."
>
> this wording puzzles me a bit.
Me too. Key generation is something that normally happens within the HSM. The text makes it sound like key generation happened elsewhere. But perhaps this is just an overly-pedantic interpretation of the addendum.
In any case, this does not sound like the work of the famous Mr Murphy so much as some missing unit tests for the software used to carry out the key management. Checking that signatures over the same plain text from all production HSMs match seems like an important thing to verify before you let them loose into the wild.
Joe
More information about the dns-operations
mailing list