[dns-operations] .de DNSSEC issue root cause
Randy Bush
randy at psg.com
Fri Jun 12 18:05:31 UTC 2026
> - choose your HSM vendors carefully so that there are opportunities to
> replicate secrets between HSMs without exposing them. This is not
> impossible.
no standard exists
> - use multiple vendors and publish a public key from each. If I
> understand what I have read, if DENIC had included a ZSK per HSM in
> their DNSKEY RRSet, then signatures over RRSets in the zone by any
> one of them would have validated just fine.
yes. but from what i read, i think they were going for single key
> Generally, I think it's much easier to have confidence in a system
> where the secrets remain beyond the tamper barrier at all times, by
> design than to manage the exposure. But different risk assessments
> might well point to different solutions.
as sra points out [knot's
multi-signer](https://en.blog.nic.cz/2025/05/07/knot-dns-in-a-complex-dnssec-topology/)
approach has appeal; though it is a bit complex
randy
More information about the dns-operations
mailing list