[dns-operations] .de DNSSEC issue root cause

[Joe Abley]

On 12 Jun 2026, at 18:32, Randy Bush <randy at psg.com> wrote:

> if not, i have to generate externally to the HSMs, yes?

You have some options, I think. e.g.

- choose your HSM vendors carefully so that there are opportunities to replicate secrets between HSMs without exposing them. This is not impossible. 

- use multiple vendors and publish a public key from each. If I understand what I have read, if DENIC had included a ZSK per HSM in their DNSKEY RRSet, then signatures over RRSets in the zone by any one of them would have validated just fine. 

Generally, I think it's much easier to have confidence in a system where the secrets remain beyond the tamper barrier at all times, by design than to manage the exposure. But different risk assessments might well point to different solutions. 

There is certainly a set of risks that a vendor monoculture does nothing to address. 


Joe